Since the start of this year I have been looking at what the emerging trends will be for 2011.
Aside from the general threats identified at the end of last year, one has been mentioned several times not just by vendors, but by the industry generally, and that is two-factor authentication (2FA). So what has caused the rise in interest in 2FA so far this year?
Kaspersky Lab researcher Roel Schouwenberg mentioned on his Twitter page that it was ‘interesting to see all this talk about two-factor again'.
A survey by Forrester Consulting found that only 33 per cent of enterprises do not require strong authentication from their partners to access corporate networks, and that enterprise-wide adoption of strong authentication is the best security policy.
Upon issuing the second set of fines, deputy commissioner David Smith at the Information Commissioner's Office, said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.”
Perhaps the need to implement strong authentication at all levels is finally being recognised. In a meeting last month with authentication provider GrIDsure, the message was clear that businesses need to get away from 1FA or 2FA and look at what is an appropriate solution for users.
CEO Daniel Mothersdale claimed that there was a need to start to give users more choice so they can make a choice that is more secure and easy to use. CTO Stephen Howes said: “We have created complexity, yet you can find people who have forgotten their password.
“It is meant to be the pinnacle of security and it is not enough. You need to be able to remove the threat and choose the right factor and the right solution. Security guys are on a quest for security nirvana and it is a long way to go, as there will never be a perfect security solution. Until then we stack up what we have got. If you are moving to the cloud you will have to be more responsible and making sure access is a whole lot more secure.”
Neil Hollister, CEO of CryptoCard, told me a year ago that the future of authentication was to be in a managed service, on a shared platform or with multiple shared authentication.
I asked Hollister if he felt that 2FA was generally coming back into fashion, he said: “I think it is coming back round with iPhones and BlackBerries, 2FA should be what email scanning is. The technology has been there but only a percentage is using it. Passwords are a good idea but are the weakest link in security and complexity and costs dissuaded from rolling out."
With a managed service recently implemented by Coventry City Council, he was keen to stress the benefits of cloud-based authentication. He said that with this users ‘have got the ability to make 2FA a commodity'.
“The cost of tokens has never been the case; it is the cost to deliver. On an iPhone it approximates to zero, if you persist with a hard token and delivery platform is not fully automated you have never commoditised authentication. If the future is that no one uses passwords, you have got to make it simple, easy and cheap,” he said.
“A provider will want to give every parent access to reports but cannot give out a token to 200,000 families so how do you push it out? Authentication is coming round to security but because technology is there with SMS, iPhone and one click and you are all using strong authentication.
“It is not a question of the market coming around; it is a question of delivery. The economic access has been realised and that is where the biggest risk is.”
Also commenting on whether the cost of implementing 2FA has been putting people off, John Handelaar, EMEA VP of Passlogix, said that 90 per cent of people now talk about it and want to do it in the future but are put off by complexity and cost.
He said: “There is an argument that you can make it as safe as you want. Users need to have access and people work remotely and as securely as possible.”
Also in agreement was Andy Kemshall, technical director of SecureEnvoy, who acknowledged that with a cost of £40 per token, alongside associated deployment costs and an average of ten per cent of devices lost or broken a year, businesses should consider removing this cost from their budgets and considering utilising a personal device.
He said: “Rolling out physical tokens can take as long as six months for a company with 5,000 users. For a tokenless solution, that time is cut to two hours. The notion of carrying around a keyring to give access to secure corporate data is technology from the 1990s, the world has moved on.
“Research suggests we check every four minutes if we've still got our mobile phones on us. How long until you realise you've lost your token and phone the IT helpdesk? A week? A month? With companies looking for more ways to keep operating in case of adverse weather, the best solutions are the simplest. SMS-based authentication means users will always have a device that can let them connect with work, wherever they are. People are used to being reliant on their mobile phones for work and this is a natural evolution of that.”
With a historical strong presence in the 2FA field, RSA expanded its reach to the small-to-medium business with a new capability in January. Adam Bangle, regional director at RSA, claimed that 2FA has received fresh interest as users realise that there needs to be more than passwords.
He said: “Cost is always a factor and this is no different, it is about balancing risk and smaller businesses may have felt in the past that they may be vulnerable to security threats, but that has changed over the past few years. Organisations want to strengthen security around enterprise users.
“This has been in market for some time and there is strong adoption in enterprises, but I am still surprised how many rely on a username and password because as a security mechanism, it is insecure.”
So 2FA is being used internally for secure logins, but what about from a consumer perspective? Is it not time that more secure login services were offered by websites?
Bangle said that the challenge with today's environment is to create a secure environment, but he believed that there is a common goal to create a customer experience that is easy to use.
“We see with government and banks they are using stronger authentication and education has improved the customer experience. Analyst firms say everyone needs to strengthen security and different commodities need a different type of experience and options, but it is too costly for banks to give all customers hardware tokens but with an SMS it is more cost effective,” said Bangle.
So is 2FA the new rock n' roll for 2011 and will we all be using one-time passwords and secure sign-on technology by the end of this year? My suspicion is that we will not because of the continuing cost and technology capabilities of providing hard or soft tokens. However it is positive to see an interest in secure login and I hope that this continues.