Who Needs 2 Factor Authentication?

Why two factor authentication is important to protect valuable applications and critical data.

Who needs two factor authentication? Probably you.

 It is not news that the privacy, confidentiality, integrity, and availability of corporate and institutional data is at risk to cyber attack. Reducing the risk of unauthorized access to the “golden eggs” of data is paramount.

I think that one of the best current ways to harden access control, particularly for remote users accessing corporate applications, is with 2 factor authentication. Two factor authentication requires the user of data to have two correct elements concurrently available to them in order to pass authentication; something they have and something they know. This is somewhat stronger authentication than merely a user name and password, since it also requires the user to have possession of a specific physical device on their person during the authentication process.

If the user losses the authentication device, which is called a token, then their user name and password are useless. If someone is able to eavesdrop on a password and username, that information will also be useless as the password changes at least as often as with every session.

Any organization who takes security seriously should seriously consider implementing two factor authentication. Three of the early concerns about this technology were:

1. Managing the authentication engine.

2. Inconvenience: The tokens were just something else to carry around.

3. Management of lost tokens.

 New technology and processes have addressed these issues very well, in my opinion. For instance you don’t need a token device anymore; a smart phone works well now. A smart phone running the appropriate token application communicates with the authentication server to receive a new password on a regular basis. And services now provide the authentication server as an outsourced service.

Here are a few two factor service and technology vendors you may want to investigate:

VeriSign, http://www.verisign.com/authentication/two-factor-authentication/compare-two-factor-authentication/index.html

RSA http://www.rsa.com/node.aspx?id=1313

Pinsafe http://www.swivelsecure.com/?page=principlesofpinsafe

Delfigo A multifactor authentication using multiple factors to both authenticate and to assign many levels of authorization. http://www.delfigosecurity.com/multi-factor-authentication?gclid=CNPnuqyc76QCFcZrKgod0nFo0w

Just to avoid any confusion, the two factor authentication I’m discussing here is for applications residing on servers – not authentication to gain access to an actual smart phone. For instance, Blackberry is a popular platform as a token for two factor authentication. However, this article does not cover secure access for the actual Blackberry device, which is a technology provided by RIM.

Two factor authentication also has nothing to do with Blackberry’s own encryption service. The Blackberry encryption technology is based upon RIM’s Blackberry Enterprise Server technology: http://na.blackberry.com/eng/ataglance/security/features.jsp

Do I also need Digital Signatures?

 Possibly yes.

Digital signatures are complementary with two factor authentication and are definitely not mutually exclusive. Two factor authentication hardens authentication for access to applications including web facing applications. Digital signatures are used to harden proof of identity, confidentiality, integrity, and proof of sender for electronic communications and for web site access. Have a secure week.

 Ron Lepofsky CISSP, CISM, www.ere-security.ca

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.