Marching Orders

Two are Better Than One

It's time to make the move to two-factor authentication.

• By Keith Ward
• 08/01/2004

In my book, such a weak password policy, especially for something as critical as my financial information, goes beyond scary and possibly into the realm of negligent.

I talked to one of the bank's admins at length, and, to his credit, he agreed that the policy was insufficient. He says he'll work on increasing that upper character limit. I hope he does it soon.

But increasing the upper limit to 256 wouldn't be enough. Consider the recent survey taken of office workers at Liverpool Street Station in London. Seventy-one percent were willing to trade their password for a mere chocolate bar. More than half of those who coughed up their password—37 percent—did so immediately while the other 34 percent succumbed to social engineering tactics by the surveyers.

What all this means is that it's time to move to two-factor authentication. If you want a truly secure infrastructure, you're fooling yourself if you think that passwords by themselves, no matter how complex, are going to do the job. But passwords (or, more correctly, passphrases) in conjunction with smart cards or biometric devices will get you a lot closer to security nirvana.

The most common example of two-factor authentication is your ATM or debit card. It takes the combination of your PIN and debit card to complete a transaction; either by itself won't cut it.

A quick Google search reveals a smorgasbord of available biometric products, including retina scanners, facial recognition scanners, fingerprint scanners, voice recognition scanners—the list goes on.

Other, non-biometric methods are more like the ATM example. A personal favorite is the venerable, and finally Windows-ready, RSA SecurID system, which uses a credit card- or key fob-like device that generates a unique number every 60 seconds. The user must enter the number along with his PIN to get access (and no, I'm in no way connected with RSA; I just think its solution is cool).

For the mobile segment workforce, which is often the greatest security risk, most major notebook vendors offer biometric authentication, either built-in or through add-ons like a USB fingerprint scanner.

If you make the decision to add two-factor authentication, the next question is: What methods do you use for which employees? Standard employees, who don't have the power to do too much damage (because, of course, you restrict their access through proper use of security templates and Group Policy—right?), might need nothing more than a smart card. Employees with more damage potential, like power users, junior admins, and system and network admins, should probably be forced to undergo some kind of biometric authentication, like a retina scanner.

True, the costs for biometric solutions could run anywhere from a few hundred bucks for a tiny shop, up to hundreds of thousands of dollars or more for a vast enterprise. But weigh that cost against the potential losses to your business. Factor in things like:

• Server downtime
• Lost or stolen data
• Loss of employee productivity
• Overtime for the IT staff
• Potential hardware destruction and replacement

It's like the old commercial: you can pay now, or pay later. Keep in mind that the costs for implementing two-factor authentication are basically fixed, while those for disaster recovery vary dramatically depending on the nature of the problem. That can make the equation a slam dunk. At the very least, start investigating the costs in time and money, and approach management at an early stage to let them know your thinking, so it doesn't come as a big shock when you lay out your cost spreadsheet.

Finally, make sure your company's employees are well stocked with chocolate bars; make them immune from that temptation, at least.