Two-factor authentication: Hot technology for 2008

Where there’s a will, there’s a way

We’ve known for a long time that requiring just a user name and password to get on the network or to access personal information on a Web site isn't the tightest security posture, but there weren't a lot of good alternatives, and there wasn't that much pressure to change.

We've known for a long time that requiring just a user name and password to get on the network or to access personal information on a Web site isn't the tightest security posture, but there weren't a lot of good alternatives, and there wasn't that much pressure to change.

Now, with new federal regulations, with tough industry standards bearing down and with identity fraud and phishing running rampant, simple user name and password doesn't cut it anymore.

Luckily, there are plenty of good options out there for implementing two-factor authentication. Options that don't require public-key infrastructure. And options that don't rely on esoteric biometric techniques such as retinal scans or voice prints.

For example, Secure Computing offers a two-factor authentication platform that generates single-use passwords. End users launch the SafeWord Premier Access application to retrieve the one-time password. Secure Computing has also launched an application for handhelds and other mobile devices. (Compare identity management products.)

Ebay is offering its PayPal customers a $5 security key based on VeriSign's One-Time Password Token product. The device issues a new numeric password every 30 seconds.

And there are plenty of innovative two-factor authentication methods out there. For example, Positive Networks uses phones as a way to authenticate users. An end user logging onto their computer triggers a phone call to a designated number. The user then punches in a PIN, which triggers access to the network.

A company called BioPassword uses "keystroke dynamics" to identify a user by the simple way that they type in their user name and password. If the typing rhythm matches, then the user is allowed in.

Then there's a company called PassFaces, which asks users to recognize a pre-determined human face from among a bunch of faces displayed on the screen. It's simple and doesn't require that end users have a physical token or remember a set of numbers.

At this point it almost doesn't matter what type of two-factor authentication you choose – token, key, biometrics, cognitive. The important thing is to make sure that you move beyond user name and password when letting users onto your network and onto your Web site.

< Return to main page: Eight technologies for 2008 >

Learn more about this topic

Guide to two-factor authentication

06/05/06

Beyond passwords: 5 new ways to authenticate users

05/31/07

Is two-factor authentication too little, too late? No! 04/04/05

Opinion

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies