Network World
Sunday, July 5, 2009
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools
NetworkWorld.com > Security >

Guide to two-factor authentication

It's not who you know; it's what you know plus what you've got.

Tech Insider  By Jeff Vance, Network World, 06/05/06

Guide to two-factor authenticationIncreased online fraud and new industry regulations are driving companies to search for stronger authentication methods. The problem is there's little agreement on the best authentication method or what constitutes multifactor authentication.

Ensuring you get pizza with sync tools
07/06/09
Here's the answer to missing files compromising your plans for pizza, beer and TV.

The 10 dumbest mistakes network managers make
07/05/09
When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.

Psystar bails on bankruptcy, promises to 'battle Goliath'
07/05/09
The Mac clone maker embroiled in a legal dispute with Apple asked a federal judge last week to dismiss its bankruptcy case, saying that it had been unable to reach a payment agreement with its law firm.

However, a set of best practices is slowly emerging that will help you develop a strong authentication program.

The first step is a basic one. Before jumping ahead to buying hardware tokens and face-recognition scanners, you need to thoroughly understand your risks.

Click to see...

Richard Hansberger, eNotarization director
Richard Hansberger, eNotarization director for the National Notary
Association in Chatsworth, Calif.

"When it comes to authentication, there is no one-size-fits-all solution," says Sally Hudson, an analyst at IDC. "Much depends on the level of security needed by the end user."

For example, most banks will probably offer different levels of access. For accounts that are high risk, the bank will issue tokens or smart cards. For customers who pose lower risks, the bank will more likely use software-only authentication, Hudson says.

Security consultant Bruce Schneier agrees that it's important to identify the problem before you decide on authentication. "You have to step back and make sure that there is an authentication problem that needs to be solved," he says. "If there is, then two-factor authentication will make an enormous amount of difference. If there isn't, then it won't."

Click to see...

Eight steps to better authentication
Measure risk.
Assess user base.
Choose solution that matches user base and risks.
Build business practices around authentication.
Conduct pilot test and phased rollout.
Tie in with other layers of security.
Monitor, measure, audit and review.
Roll out additional tiers of authentication or security layers as users and risks change.

There are three key questions to ask when setting up an authentication system, according to Karen Devine of RSA Security:

1. Who are you? Is this person an employee, a partner or a customer? Different levels of authentication would be set up for different types of people.

2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee or partner logging on remotely. Someone logging on from a known IP address is less of a risk than someone logging on from Nigeria or Kazakhstan.

3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data?

When dealing with consumer-facing applications, such as online banking and e-commerce, strong authentication must be balanced with convenience. "There's a trade-off between increased protection and turning customers away from your online channel," cautions Kathie Claypool, senior vice president of e-commerce for Bank of America.

If it's too difficult to bank or shop online, users will go back to the brick-and-mortars.