Two-factor authentication is a method of authenticating computer system users which requires the use of two or more authentication factors during the login process: something the user knows (a password or pin), something the user has (a hardware or software token), or something the user is (such as a fingerprint). For this post, we are going to discuss using a password/pin (something you know) and a token (something you have). The importance of two-factor authentication has never been more paramount as the frequency of business users connecting to corporate resources on-demand from multiple connected devices continues to rise.
The simple fact is that obtaining a person’s username/password combination is not that difficult. Most I.T. professionals already know this. Surveillance and simple observation (looking over someone’s shoulder and watching them enter their login) is easy. Keyloggers (malware that records every keystroke), packet sniffers (software that records all data packets traveling on a network or via the internet), cracking tools, etc. are readily-available for download on the internet. The use of these tools and other malicious techniques is on the rise as more internet-connected devices and people join the global network.
People don’t often think about this subject from these two perspectives: accountability and deniability.
Accountability – From the corporate or employer’s point of view, you need to be able to hold people accountable for their actions while using corporate resources. With the ever-connected and on-demand network, it is practically impossible to truly secure corporate data from insider-employee theft. If a savvy computer user wants to send themselves the company customer list or a .pdf file of your latest product design, they’re probably going to figure out a way to do it; whether by using a web-proxy, web-based email, thumb-drive, etc. It’s easy to do and practically impossible to stop. The best policy is to limit users’ access to just the resources they need to do their job, followed up by auditing and monitoring. If a user knows their activities are being monitored AND you can determine it was that individual who logged in to the system (with two-factor authentication in place) you can deter unwanted behavior. With just username/passwords people can always claim that someone else knew their password or someone in the I.T. Department must have logged in as them. With Two-Factor Authentication, you can hold employees/users fully accountable for their actions on the system.
Deniability – The reverse of the above points is also true from an individual or employee perspective. Users can’t ever be blamed for malicious behavior that they didn’t actually commit. Question: Why do bank robbers wear masks? Answer: So nobody knows who they are. If someone is going to steal corporate data or hit the delete key on a bunch of important files, they’re probably not going to use their own identity. With two factor authentication in place, nobody can login as anyone else – ever. Employees/individuals are protected from the malicious behavior of any other user on the system, even those of I.T admins. Two-Factor Authentication protects the employees/users as much as it protects the corporate resources.
Why not just implement a strong password policy? The reality is many corporate networks have weak password policies out of a ‘convenience-first’ or ‘customer-service’ mindset. Let’s face it: who can remember a complex password that has to be changed every 21-days and you can’t use repeated passwords? When strict password policies are implemented, people inevitably end up writing their passwords down and ‘hiding’ them under their keyboard. Or, as crazy as it sounds, co-workers just share their passwords all the time. They don’t understand the necessity and reasons for I.T. security, as it is increasingly more difficult to educate everyone in-depth about the subject, so people don’t think twice about it. Without two-factor authentication it is impossible to hold a user accountable as they can simply claim that someone else knew their password.
At SiteVentures, we have partnered with Symantec to deliver a fully-managed, cloud-based two-factor authentication solution, Symantec Validation and ID Protection Service (VIP).
The traditional username/password combination doesn’t have to change frequently, or at all, simplifying the entire login process. When a user logs in, they have to enter in their unique PIN (something only they know) and a one-time token (something they have). That’s it, done. The user’s traditional Windows Active-Directory credentials are cached after their first login, so they won’t be prompted for their Windows credentials again.
The one-time token is letter-number combination (example: ‘1a5-k8b’) generated by a hardware token (keychain device), a smartphone app (supports iPhone, Android, and Blackberry devices), or an sms/txt message sent to the user’s cell phone upon request. It’s good for 60-seconds, one-time. The most-commonly adopted, game-changing, user’s actually like it (I.T. admins love it) token is the smartphone app. It’s convenient, simple to use, there is no extra device hanging off your keychain, and everyone always has their phone on them (nomophobia) so they never forget their token.
In summary, businesses should not go without Two-Factor Authentication. It’s not worth the risk now that the cost of implementation has dramatically decreased with cloud-based services and the rate of user-adoption (via the app) has increased. It’s inexpensive, easy to implement, and simple to use. Most importantly, it’s a highly-effective method for protecting corporate networks from internal and external threats.