Strengthen Organizational Security Without Breaking the Bank or the Brain
As leaders within all types of organizations grow more concerned with the security of their networks, they increasingly turn to enhanced security and access processes over the “normal,” more traditional approaches to user name and password authentication methods.
Two-factor authentication (also known as TFA, T-FA or 2FA) is an approach to authentication that requires the presentation of at least two of the three main authentication factors. For example, a knowledge factor (something specific to the user, such as a password or childhood memory), a possession factor (something the user has, such as a scan card), and an inherence factor (something the user is, such as a type of employee) are all forms of authentication factors.
The banking industry, for example, has used this concept for years with the ATM card. To gain access to your cash, you must have a physical card in hand as well as a personal identification number (PIN) to access your account.
Another example of this is found on laptop computers that manufacturers have built fingerprint readers into. The only way to access the information on the machines is by scanning an approved user’s fingerprint. The application adds a great deal of security and is perfect for industries like finance, healthcare, and even education.
The question for organization leaders seeking stronger authentication processes is this: how can two-factor authentication provide extra security to an organization while not requiring a large capital outlay?
There are two options that are becoming commonplace and ever more affordable:
The concept of using challenge questions like “What’s your mother maiden name”, or “Where were you born?” has been around for many years. Banking websites are the most common example of this concept. If you forget your password and successfully answer the challenge questions to reset your password, you gain access to your cash.
With the advent of smart phones and text messaging, many companies have already added a second factor—a one-time use PIN code delivered via email or SMS must be provided in addition to answers to security questions.
The first iterations of these solutions exclusively relied on the challenge questions to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.
Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identify a caller. When an employee phones the helpdesk requesting access to a new application or to be added to a shared or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to “What color is your car?” could display as “X_XX_” and the caller would be asked to provide the second and fifth characters. If the correct characters are provided, it insures the caller’s identity. By masking the answers, the helpdesk employees are never exposed to the confidential answers.
A second factor of authentication—delivering a PIN to an email or via SMS—can further enhance a system’s security. Also, the number of questions and answers to be provided to the user can be dictated by company policy, allowing for the greatest level of security for any given organization.
Single Sign-on with Strong Authentication
Many technology leaders acknowledge the benefits associated with a Single Sign-On (SSO) solution—productivity gains reducing the number of required credentials from many to one and reducing calls to the helpdesk for forgotten passwords.
SSO software enables end-users to log in to their systems just once after which access is granted automatically to all of their authorized network applications and resources. SSO also operates as an extra software layer intercepting all log-in processes and completing the details automatically.
A common concern here is that if the one set of credentials is hacked, then access to all systems can be exposed. In this case, two-factor authentication can eliminate this perceived risk.
In a two-factor authentication scenario, the end user presents his ID badge (“something the user has”) to a card reader attached to the machine he is attempting to access and enters his credentials (“something the user has”) then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems.
It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.
Two-factor authentication is catching on rapidly in the business to consumer arena as functionality, such as self-password reset was originally implemented to reduce call volume and security of this functionality, has been strengthened in response to identity theft and social engineering. Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees, and are much more affordable than in the past.