We've known for a long time that requiring just a user name and password to get on the network or to access personal information on a Web site isn't the tightest security posture, but there weren't a lot of good alternatives, and there wasn't that much pressure to change.

Now, with new federal regulations, with tough industry standards bearing down and with identity fraud and phishing running rampant, simple user name and password doesn't cut it anymore.

Luckily, there are plenty of good options out there for implementing two-factor authentication. Options that don't require public-key infrastructure. And options that don't rely on esoteric biometric techniques such as retinal scans or voice prints.

For example, Secure Computing offers a two-factor authentication platform that generates single-use passwords. End users launch the SafeWord Premier Access application to retrieve the one-time password. Secure Computing has also launched an application for handhelds and other mobile devices. (Compare identity management products.)

Ebay is offering its PayPal customers a $5 security key based on VeriSign's One-Time Password Token product. The device issues a new numeric password every 30 seconds.

And there are plenty of innovative two-factor authentication methods out there. For example, Positive Networks uses phones as a way to authenticate users. An end user logging onto their computer triggers a phone call to a designated number. The user then punches in a PIN, which triggers access to the network.

A company called BioPassword uses "keystroke dynamics" to identify a user by the simple way that they type in their user name and password. If the typing rhythm matches, then the user is allowed in.

Then there's a company called PassFaces, which asks users to recognize a pre-determined human face from among a bunch of faces displayed on the screen. It's simple and doesn't require that end users have a physical token or remember a set of numbers.

At this point it almost doesn't matter what type of two-factor authentication you choose – token, key, biometrics, cognitive. The important thing is to make sure that you move beyond user name and password when letting users onto your network and onto your Web site.

< Return to main page: Eight technologies for 2008 >

Whitepapers

• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology
• Vulnerability Management For Dummies

View more SECURITY whitepapers

Webcasts

• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports