Guide to two-factor authentication

It's not who you know; it's what you know plus what you've got.

Increased online fraud and new industry regulations are driving companies to search for stronger authentication methods. The problem is there's little agreement on the best authentication method or what constitutes multifactor authentication.

For example, most banks will probably offer different levels of access. For accounts that are high risk, the bank will issue tokens or smart cards. For customers who pose lower risks, the bank will more likely use software-only authentication, Hudson says.

Security consultant Bruce Schneier agrees that it's important to identify the problem before you decide on authentication. "You have to step back and make sure that there is an authentication problem that needs to be solved," he says. "If there is, then two-factor authentication will make an enormous amount of difference. If there isn't, then it won't."

Eight steps to better authentication

Measure risk.
Assess user base.
Choose solution that matches user base and risks.
Build business practices around authentication.
Conduct pilot test and phased rollout.
Tie in with other layers of security.
Monitor, measure, audit and review.
Roll out additional tiers of authentication or security layers as users and risks change.

There are three key questions to ask when setting up an authentication system, according to Karen Devine of RSA Security:

1. Who are you? Is this person an employee, a partner or a customer? Different levels of authentication would be set up for different types of people.

2. Where are you? For example, an employee who has already used a badge to access the building is less of a risk than an employee or partner logging on remotely. Someone logging on from a known IP address is less of a risk than someone logging on from Nigeria or Kazakhstan.

3. What do you want? Is this person accessing sensitive or proprietary information or simply gaining access to benign data?

When dealing with consumer-facing applications, such as online banking and e-commerce, strong authentication must be balanced with convenience. "There's a trade-off between increased protection and turning customers away from your online channel," cautions Kathie Claypool, senior vice president of e-commerce for Bank of America.

If it's too difficult to bank or shop online, users will go back to the brick-and-mortars.

Bank of America uses challenge questions

With 14.6 million online clients, Bank of America has the largest online banking user base in the world, so the more costly authentication options, such as biometrics or USB tokens, were prohibitively expensive.

Sizing up authentication schemas

Because phishing and identity theft prey on a user's willingness to enter information into fraudulent Web sites as much as they do on weak authentication, Claypool says it was important for authentication to be mutual.

Bank of America ultimately chose PassMark Security's technology to build its SiteKey authentication around. When customers use SiteKey for the first time, Bank of America asks them to select an image they recognize, write a phrase and select challenge questions.

When consumers go to the Bank of America Web site and see its image and phrase, they know the site is valid. Conversely, when the bank sees something unusual about a user's logon, such as a request coming from an unknown IP address, it issues challenge questions. When it receives the correct answers to those questions, the bank has a higher degree of certainty about a user's identity.

In terms of authentication, it's more two-tiered authentication rather than two-factor security, because it relies on what you know (your password) plus other things you know (answers to questions). Even so, it's much better than user names and passwords alone. At a cost of about $1 per user per year, the solution should easily pay for itself with reduced fraud.

Bayshore Health invests in RFID tags

Bayshore Community Health Services represents the opposite end of the spectrum. The Holmdel, N.J., healthcare company has a much smaller user base and believes that the higher level of security offered by a hardware-based solution is worth the extra cost. Because its users are internal, the company doesn't have the problems of scale, portability and ease of use that Bank of America does.

Bayshore selected iTag technology from Encentuate to boost authentication. Each iTag contains an RFID chip and is affixed to devices that physicians, nurses and other healthcare personnel already carry, such as ID badges or pagers. Combined with back-end authentication management, the solution provides automatic sign-off capabilities, universal sign-on to key workflows, and auditing and reporting capabilities.

The cost is higher than with a software-only approach (about $150 per user, per year), but represents a full Identity and Access Management solution, rather than simply authentication. Bayshore also wanted a tighter, more controlled form of authentication that would help it meet compliance mandates and cope with shared workstations and other healthcare equipment.

E*Trade offers password tokens

E*Trade Financial in Merrifield, Va., falls somewhere between Bayshore and Bank of America. An online business, it is a prime target for phishing attacks and fraud, yet the company doesn't have as large a user base as Bank of America. Because E*Trade is an online business, its users also tend to have a degree of comfort with technology.

"When we considered various authentication solutions, we had two concerns," says Greg Framke, CIO of E*Trade Financial. "First, it had to be able to scale for our business, and second, it needed to be quick. Online consumers demand almost instantaneous access to their accounts."

In 2005, E*Trade began offering RSA's SecurID one-time password tokens to its customers. Sign-up is voluntary, with tokens offered for free to customers who execute a high number of transactions each month or who have significant assets invested in E*Trade accounts. Other customers can sign up for a one-time $25 fee.

"We employ other techniques, such as monitoring and understanding transactions," Framke says. "However, authentication is the front door, so you want it to be as iron-clad as possible."

Notaries put stamp on digital certificates

The National Notary Association (NNA) found that moving certain processes online actually reduced risk. "Something we needed was better revocation," says Richard Hansberger, director of eNotarization for the NNA in Chatsworth, Calif.

In the paper world, when a notary's license was revoked, there was no way to know whether the stamp had been destroyed. Similarly, a quick search on eBay shows that anyone with a PayPal account can buy a notary stamp.

The NNA began using GeoTrust's digital certificates for authentication and revocation purposes. The digital certificates serve as electronic notary seals, and they provide an automated way to manage revocation.

Just because a person has a token or a smart card doesn't mean that you can be certain of his identity, however. "We've seen interest in using notaries to distribute two-factor authentication devices for other organizations," Hansberger says. Thus, notaries need airtight authentication for themselves. If their credentials are stolen, it could put a lot more at risk than their own accounts.

Lark Allen, a member of the Liberty Alliance's strong authentication expert group, says this is one of the problems encountered with some of the universal authentication ideas floating around. One concept, for instance, is to turn driver's licenses into smart cards, providing a standardized method for authentication.

The problem is that the various state departments of motor vehicles aren't in the business of verifying identity. Their job is to license drivers. They have a few rudimentary steps in place to check identity, such as requiring that applications show a Social Security card and a utility bill to prove their identity, but those are easy to fake.

"If you don't have a certified, trusted provisioning process in place for issuing authentication credentials, then you can't trust that the token or smart card is what it claims to be," Allen says.

Flaws and scofflaws

Finally, risks vary from industry to industry because of regulations. In the financial sector, the Federal Financial Institutions Examination Council has issued guidance about authentication and expects banks to comply by 2007. However, no one knows exactly what the cost of noncompliance will be.

The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations protect sensitive patient information. However, according to Barry Runyon, an analyst with Gartner, the fines associated with HIPAA noncompliance are so low that many people just ignore them.

"For a security breach, the fine is $250 per incident with a $25,000 annual cap," Runyon says. He estimates that only 40% to 50% of hospitals are compliant. Many of the others have decided that it would cost more than the $25,000 maximum penalty to meet the requirements.

Runyon adds, "The real cost, of course, is having the story about your security breach showing up on the front page of the newspaper."

A regulation such as California's SB 1386, which requires the public disclosure of security breaches exposing the confidential information of California residents, has more teeth than HIPAA, which slaps organizations on the wrist with small fines.

Where risks are high and the user base is small, most analysts recommend hardware-based authentication. This could be anything from smart cards to USB tokens to biometrics. The costs are high, but the security is considered to be more robust than with software-only and knowledge-based authentication.

These solutions aren't as easy to provision and manage, so they're probably not suitable for large user bases. Gartner's Runyon doesn't see the widespread adoption of biometrics or USB tokens until the cost comes down and they are easier to track. "It's hard enough for an organization to keep track of PCs and laptops, can you imagine trying to track USB tokens?"

Another problem is as physical solutions become more common, users are forced to wear "token necklaces," with tokens for everything from banking to accessing the workplace. Until there is more standardization, hardware-based authentication will likely be confined to high-risk, few-user situations.

Schneier argues that the decision process should favor practical factors other than pure security. "Honestly, two-factor authentication is so much better than password-only that it really doesn't matter which you choose. Choose the one that is cheaper, more user friendly and easier to deploy," he says.

Comparing schemas for authentication is not always an apples-to-apples situation. Some offer mutual authentication; some don't. Some have components that take account origination and provisioning into account; some don't. And many of the cost quotes are nearly meaningless, because they only factor in the initial purchase price of a user's authenticating device, leaving out server-side software, ongoing management, support and maintenance. The factors are tough to pin down, but without these figures it's difficult to tally the total cost of ownership.

Vance is a freelancer writer in New Mexico. He can be reached at

Learn more about this topic

Authentication: Where's the magic factor? 04/24/06


Soft tokens at the new Interop show 01/16/06


Regulating two-factor authentication 10/10/05


Is two-factor authentication too little, too late? It's not enough 04/04/05


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)