This month we dive into authentication, an interesting and diverse product group. Products going through our labs included tokenless-, token- and cloud-based systems. The debate about token versus tokenless will continue and both have something to offer. Let's take a quick look at authentication and deploying it enterprise-wide.
Most security professionals decry the use of password authentication as next to worthless. But we still have a lot of passwords floating about. Studies repeatedly show that people commit the two cardinal sins - very weak passwords and reusing passwords - with frustrating frequency. Why do we still use passwords? Cost.
But, biometrics are starting to become affordable and tokenless multifactor authentication shows a lot of promise. That does not mean the death of passwords though. Average users will probably not flock to multifactor authentication any time soon. Corporate users have less and less reason to stick to password authentication. If one must use passwords for the bulk of users, though, here are some thoughts on when not to.
If system and database administrators use the same passwords, shame. These folks have the keys to the kingdom; if their credentials are stolen there's a new threat inside the enterprise! Credential-stealing bots are now old school.
If remote users are using passwords to login over the organisation's VPN, then rethink that authentication method now. A stolen laptop or other mobile device can expose the organisation, especially if the employee uses remembered passwords and reuses the same ones. An innocuous breach at a site that looks trivial isn't if the passwords stolen are reused on sensitive systems, like the corporate network.
So how do we make the decision to move off passwords and on to multifactor authentication? The big cost today, in organisational environments is not devices or the server. These are relatively inexpensive with several economic options. The cost is in administration. First step, determine who gets multifactor authentication and who doesn't. Consider what the authentication is to be used for. Are you concerned with systems, networks, applications or something else? The thing to be secured often dictates the limitations placed on authentication methods.
After determining what needs to be secured and what it takes to secure it, consider deployment and ongoing administration. Are there geographically wide-ranging requirements that suit some sort of self-provisioning? How do you handle day-to-day user management, device – if there are any – management and other ongoing tasks?
Sometimes token authentications can be quite trying, eg, if there is some sort of disability that makes using an authentication device difficult, uncomfortable or frustrating. Select your authentication method carefully if you have employees who might be affected.
If multifactor authentication suits some or all of your employees, there are lots of options to match your criteria with some of the best are shown here! Prices are US-based thus indicative only.