Midmarket companies have been very slow to adopt multifactor authentication, such as one-time password (OTP) tokens, smart cards and biometrics to protect access to sensitive information, although almost everyone agrees that passwords are flawed authentication protections.
Beyond the actual product purchase, smaller companies have to commit scarce IT resources to implementation or pay the vendor or IT solution provider to handle the job.
In this tip, we'll examine some of the key considerations that go into the decision to adopt multifactor authentication.
Perform a two-factor authentication cost, risk analysis
Take stock of what information may require additional protection and who needs access to it.
The process doesn't necessarily call for an exhaustive and seemingly endless data classification project, but you should be able to identify what is of potential value to thieves or subject to data breach notification laws and other compliance mandates, such as
This could be company financial reports, confidential corporate information, patient health data, personnel and customer records or credentials for managers and employees who have access to corporate bank accounts. Hackers often use social engineering and spear phishing tactics to get usernames and passwords of privileged users.
"The question is: Do you have stuff sitting around that's attractive," said Bill Nagel, security analyst for Forrester Research Inc. "Are you likely to be a victim of one of the increasingly more narrowly targeted attacks?"
The good news is that, in most cases, you will only roll out multifactor authentication for a limited number of users, typically those who have access to confidential data and company accounts.
"Know where data is going and how it is being accessed," said Tom Olzak, director of information security at Ohio-based healthcare provider HCR Manor Care Inc. and a frequent writer on information security issues. "Multifactor authentication doesn't have to go to everybody, just users who present the highest risk."
Companies typically implement multifactor authentication for just 10-20% of their workforce, especially remote users who log in to the corporate network using VPNs, Nagel said.
"That's where you want to target first," he said, but the number climbs as more people work at home for at least part of the week. "There's slow bleeding if everyone becomes remote access."
The cases for company-wide deployment include a single sign-on (SSO) project or a replacement of physical access systems with converged smart cards for physical and logical access.
These use cases are more operational ones rather than security drivers, and are much more likely in enterprises than midmarket companies.
Weighing cost and risk with two-factor authentication options
Typically, multifactor authentication is a classic security investment -- it's insurance against a major security incident. Is the risk high enough to justify the expense? What's the likelihood of a breach that will cost the company more than the security investment?
Consider the total cost of ownership, not just the initial purchase. A hardware-based approach, such as OTP tokens, will cost $50-$100 per user each year, said Nagel. That figure may go as high as $150, Olzak said.
Midmarket companies should expect to pay their IT solutions provider or vendor to install the multifactor authentication system and deploy it to users, because they often lack both the staff time and expertise to do it themselves. On the plus side, this is usually pretty straightforward for most midmarket companies, which don't have to worry about integrating multifactor authentication into the complex, heterogeneous environments in large enterprises. Products work nicely through Active Directory, which will reduce the integration issues for smaller businesses.
Nonetheless, if implementing a token approach, it's also important to consider ongoing management headaches and the cost of replacing lost or damaged tokens, and dealing with users who forget to bring tokens into the office or, worse, forget or lose them on the road.
Authentication smart cards, which include digital certificates and other user credentials, aren't an attractive option for most midmarket companies, unless they already have a physical access card system they are willing to replace. Smart card implementation also forces companies to invest in and maintain card readers. Biometrics, usually fingerprints, require the added expense of laptops equipped with readers, which must be kept cleaned and replaced if damaged.
Among the more appealing options are soft tokens, which generate OTPs on the laptop device rather than external hardware, and a very new development, smartphone authentication. Soft tokens eliminate the cost and maintenance headaches of hardware tokens, but are only as secure as the laptop itself. (Some vendors protect the OTP in a PKI wrapper, which allows access only if correct certificates are presented.)
Smartphones are interesting as authentication devices, as vendors will generally support a wide variety of phone OSes. Short message service-based one-time passwords use text messaging to deliver a one-time password upon request. One-time passwords can also be generated via software on the mobile phone. Out-of-band authentication is another mobile authentication option: Before entering an application website, for example, an employee will be contacted at a known phone number and then given access once the user presses particular keys. However, with the various mobile phone authentication options, there may be latency and availability issues, depending on whether the user has a strong enough signal.
Finally, many companies are offering multifactor authentication as a managed service, eliminating the purchase and installation costs, and much, if not all, of the management overhead.
Multifactor authentication, like one-time passwords (OTP), biometrics and smart cards, offer a strong layer of data protection, but each midmarket company will have to weigh its cost and risk options before deciding which option is the best way to invest money and management resources.`
This was first published in March 2010