- Email: [email protected]
2FA comes of age
Column Dave Abraham, CEO, Signify
Many companies are currently looking at tokenless services in the event that the impact of swine flu increases
44
2FA comes of age Dave Abraham Increasing demand for ‘anywhere access’ to computer systems, the wide availability of VPN technology, and the popularity of web-based applications mean that more people want to access their business networks remotely. At the same time, the risks to corporate systems and information have increased, forcing companies to strengthen their ID management and access security. What has become clear is that relying on static passwords for authentication is simply not good enough. Two-factor authentication (2FA) is not new but has traditionally been used by more security conscious organisations. 2FA requires the user to present two different factors of identity; typically ‘something you know’ such as a secret PIN or password and ‘something you have’, like a One Time Passcode (OTP) delivered to a hardware token, smartcard or mobile phone. It may also be ‘something you are’, such as a biometric. To work effectively for high volumes of users, any 2FA solution must be reliable, secure and flexible, as well as quick and easy to use. In reality, there is no single form of authentication suitable for everyone. Hardware tokens are the most common form of 2FA and are small physical devices that can be carried in a pocket or attached to a key ring and provide simple and convenient OTPs for users who require regular authentication. Built with the sole purpose of generating OTPs, they are reliable and hardwearing and because they require no connection to any type of network, they work anywhere in the world. However, organisations need to provision and distribute the tokens to their users and replace lost or broken tokens and some end users don’t like carrying around another device. Tokenless authentication provides an alternative. By downloading software to a mobile device such as a BlackBerry, it can be transformed into an OTP generating ‘token’. OTPs can also be delivered by SMS or email to a mobile phone, smartphone or PDA. This is the cheapest option and is an ideal solution for infrequent end users or third-parties that may only need remote access to a network once or twice a week. Tokenless authentication is also ideal for allowing employees to work from home in the case of an emergency. Many companies are currently looking at tokenless services in the event that the impact of swine flu increases. On the downside, the availability of OTPs using this method is, of course, reliant on mobile network coverage. In reality, most organisations really need a combination of token and tokenless authentication to meet individual working patterns, remote access requirements, security needs and budgets. While 2FA does provide a far greater level of security, it can be complicated and costly for many organisations to deploy and manage themselves as they simply don’t have the inhouse resources. Setting up and managing authentication servers is not a walk in the park. Many organisations simply aren’t able to run a 24/7 service which has to deal with users who find themselves unable to log in late at night or over the weekend. The result is often disgruntled users and over-stretched IT support staff. Delivering 2FA as a hosted service makes sense. This approach not only removes the initial implementation problems and day-to-day hassle of running the service, it also avoids major capital investment and provides instant saleability. Hosted services are not new but suddenly people are talking about SaaS (Security or Software as a Service) and Cloud computing. SaaS offers good service level agreements with guaranteed levels of availability and provides administrative and end user facilities such as sophisticated logs and reports, as well as helpdesk services. To handle the roll out of devices, PINs and passwords to a widespread user base, well integrated policies, procedures and logistics are also needed. So, 2FA has come of age. There is general recognition that the days of the static password are limited and delivering this vital security function in the cloud makes 2FA accessible to all sizes of organisation.
NOVEMBER/DECEMBER 2009
Many companies are currently looking at tokenless services in the event that the impact of swine flu increases
44
2FA comes of age Dave Abraham Increasing demand for ‘anywhere access’ to computer systems, the wide availability of VPN technology, and the popularity of web-based applications mean that more people want to access their business networks remotely. At the same time, the risks to corporate systems and information have increased, forcing companies to strengthen their ID management and access security. What has become clear is that relying on static passwords for authentication is simply not good enough. Two-factor authentication (2FA) is not new but has traditionally been used by more security conscious organisations. 2FA requires the user to present two different factors of identity; typically ‘something you know’ such as a secret PIN or password and ‘something you have’, like a One Time Passcode (OTP) delivered to a hardware token, smartcard or mobile phone. It may also be ‘something you are’, such as a biometric. To work effectively for high volumes of users, any 2FA solution must be reliable, secure and flexible, as well as quick and easy to use. In reality, there is no single form of authentication suitable for everyone. Hardware tokens are the most common form of 2FA and are small physical devices that can be carried in a pocket or attached to a key ring and provide simple and convenient OTPs for users who require regular authentication. Built with the sole purpose of generating OTPs, they are reliable and hardwearing and because they require no connection to any type of network, they work anywhere in the world. However, organisations need to provision and distribute the tokens to their users and replace lost or broken tokens and some end users don’t like carrying around another device. Tokenless authentication provides an alternative. By downloading software to a mobile device such as a BlackBerry, it can be transformed into an OTP generating ‘token’. OTPs can also be delivered by SMS or email to a mobile phone, smartphone or PDA. This is the cheapest option and is an ideal solution for infrequent end users or third-parties that may only need remote access to a network once or twice a week. Tokenless authentication is also ideal for allowing employees to work from home in the case of an emergency. Many companies are currently looking at tokenless services in the event that the impact of swine flu increases. On the downside, the availability of OTPs using this method is, of course, reliant on mobile network coverage. In reality, most organisations really need a combination of token and tokenless authentication to meet individual working patterns, remote access requirements, security needs and budgets. While 2FA does provide a far greater level of security, it can be complicated and costly for many organisations to deploy and manage themselves as they simply don’t have the inhouse resources. Setting up and managing authentication servers is not a walk in the park. Many organisations simply aren’t able to run a 24/7 service which has to deal with users who find themselves unable to log in late at night or over the weekend. The result is often disgruntled users and over-stretched IT support staff. Delivering 2FA as a hosted service makes sense. This approach not only removes the initial implementation problems and day-to-day hassle of running the service, it also avoids major capital investment and provides instant saleability. Hosted services are not new but suddenly people are talking about SaaS (Security or Software as a Service) and Cloud computing. SaaS offers good service level agreements with guaranteed levels of availability and provides administrative and end user facilities such as sophisticated logs and reports, as well as helpdesk services. To handle the roll out of devices, PINs and passwords to a widespread user base, well integrated policies, procedures and logistics are also needed. So, 2FA has come of age. There is general recognition that the days of the static password are limited and delivering this vital security function in the cloud makes 2FA accessible to all sizes of organisation.
NOVEMBER/DECEMBER 2009