Monday, 20 August 2007

What do YOU need out of two-factor authentication?

Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. A number of companies are looking at smartcards internally for VPN access and then looking at moving to smartcards for domain logon, too.
Users are also looking at ways to require two-factor authentication for web-based services, like Outlook Web Access, published SharePoint servers, and other extranet systems. I love display based solutions and its CRYPTOCard most popular offering. But with smartcards we encounter a large problem with them: most public workstations (kiosks, Internet cafes) don't have smartcard readers. So how do we require two-factor authentication when the infrastructure can't support it? And you would want to use a form of 2FA when using Public workstations as the risks are very large. No self-respecting organization would ever allow access to corporate resources from unknown machines, right? What possible business justification would ever permit exposure to such risk?
A lot, it turns out. Any organization (Microsoft included) that permits access to corporate resources, like OWA, is making a risk statement, whether they know it or not. That statement is this: "Our business activities require access to certain resources from any device, anywhere, at any time. We accept the risks associated with this because the value to the business is determined to be higher."
Many organizations are starting to become wary of these risks. Two-factor authentication helps to mitigate risk. The choice, then, is which kind of two-factor authentication to use? If smartcards won't work because readers aren't yet ubiquitous, what's left to choose?
A hardware token with a one-time (Event) password is generally the best option.
I want to hear from you, though. What do you need from a two-factor authentication mechanism? What are your requirements? Have you used the products currently on the market? What do you like or not like? What do you want to see done differently?
Tell me what you think. Post a comment here or email me if you'd prefer to remain private. Either way, I'd really like to get a good body of customer thinking on this. Thanks!


Copyright 2009 Jason Hart. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan