Security threats Toolkit

Scaling your security strategy

Tags:
Two-factor,
Authentication,
Password

Deb Shinder Tech Republic

Published: 11 Aug 2005 13:05 BST

Multi-factor authentication makes things much more difficult for the social engineer. Password authentication is single factor authentication; it's dependent on providing something you know (the password) to prove your identity. Multi-factor authentication still requires that you provide a password or PIN, but goes a step forward and requires that you also provide something more. This can be:

Something you have in your possession (a smart card or keyring token)
Something you are (biometric identifiers such as a fingerprint, retinal scan or iris scan)
Something you do (voice print analysis, handwriting pattern analysis)

When multi-factor authentication is required to sign onto the network or computer, even a social engineer who's managed to obtain a good password is out of luck without the second factor.

Scaling your new authentication plan
Multi-factor authentication can greatly increase your security, but implementing a biometric or card/token-based authentication scheme can be expensive. In addition to the equipment itself, there will be extra administrative time devoted to setting up and maintaining the authentication method.

For example, if you decide to go with smart card authentication, you'll need to buy card readers for each workstation, set up a computer (called an enrolment station) to create the cards, and purchase the cards themselves. An administrator will have to spend time setting up the hardware and software, making the cards, making new cards for employees who lose theirs, etc.

Many organisations begin their foray into multi-factor authentication with cards and tokens because the equipment is generally less expensive and there may be less resistance from employees and other network users than with biometric and behavioural methods that seem more intrusive. However, card and token methods have ongoing costs that biometrics don't have (you won't have to issue a user new fingerprints because he lost his) and you'll have to deal with the inevitable user who always leaves the card at home and can't get access, costing more in administrative time.

For that reason, companies may "move up" from card-based authentication to biometric authentication for greater security and convenience.

Whichever way you go, you don't have to implement multi-factor authentication throughout the entire network all at once if you have a large organisation. It may be easier — and more cost effective — to set up a pilot program first. You can make the switch in a single department or branch office, or only require multi-factor authentication for users with high levels of access privileges. This allows you to evaluate any problems that occur during the transition and be ready for them when you expand the new authentication method to more of your users. In addition, if you try out cards and find that they cause more problems than they solve, and decide you want to use biometrics instead, you haven't invested so much in the initial outlay for equipment and supplies.

User authentication is your first line of defence against intruders, so it's important that your authentication strategy evolve as your business grows. Don't be stuck relying on passwords alone to protect your network in an environment that demands a high level of security.