Feb 15 2013

How to Deploy Two-Factor Authentication

Take these five steps to ease the rollout while strengthening security.

Passwords have been crumbling for a long time because they’re easy to steal or share, yet difficult to remember. To improve security, leading organizations are deploying two-factor authentication. This technique combines a password with something else the user has, such as a token, smart card or a biometric identifier.

Moving to two-factor authentication has its stumbling blocks, however. Consider the following measures to ease the move.

1. Select a Factor That Fits the Organization.

Count tokens (both hardware and software), smart cards, and multichannel products such as SMS-based passwords to smartphones among the options. There’s no right answer, but considering a few questions about organizational IT will show the best path. For example, mobile devices such as smartphones are not generally compatible with smart cards. For some organizations, that’s a plus, as they’d prefer to allow only notebooks they issue to connect to the network. For others, that’s a deal breaker. Some organizations that are geographically centralized will appreciate physical tokens, while others that have workers constantly on the move may wish to use software or other systems.

2. Consider Tokens as the Starting Point.

Tokens are the technology that every other authentication method needs to beat. They are the most mature and common technology in two-factor authentication, but have their own drawbacks, such as high startup and maintenance costs associated with distributing and replacing tokens. Manufacturers have devised a variety of workarounds, such as virtual tokens that trade off some security for increased convenience.

When considering alternatives to tokens, be careful to separate competitive myth and fiction from reality. There’s considerable disinformation in marketing literature, both among token makers and in competitive two-factor technologies.

3. Conduct a Phased Migration.

Big-bang cutovers don’t make anyone happy. Application and system managers will find it easier to migrate everyone at once, but that just creates a nightmare for end users and help desk staffs.

Choose a technology and deployment strategy to move one user at a time, then slowly disseminate the technology to the people who need it the most. Unless it’s a small organization with only 25 users, migrating everyone at once is guaranteed to be an expensive, high-risk effort. The same is true of applications — critical ones should move to two-factor authentication early, but there’s no reason to migrate legacy apps if the risk is low.

4. Staff Up the Help Desk.

Getting a back-end authentication server set up takes awhile, and then testing it against applications takes a little longer. That’s only one percent of the effort in a two-factor rollout. Self-service, abundant training and a well-staffed help desk are good insurance against failure, particularly during periods of heavy migration.

Users need to be informed and empowered. Because two-factor authentication is harder than just typing a password, everyone might complain a bit. Offer end users tools, such as token reset web pages. That may require collecting password reset questions or wiring a web application, but it’s worth the effort. One benefit of the consumerization of IT is that people are accustomed to doing things themselves. Playing to these new habits eases the pain on all fronts.

5. Don’t Sweat the Settings.

Risk reduction is the goal. Many token products have very secure default settings that are not forgiving of error or an initial learning curve. Dialing back some of these settings, such as maximum failed attempts or lockout periods, won’t ruin system security. Two-factor authentication is so far ahead of static passwords in risk reduction that there’s room for some slack without affecting the result. These settings can gradually be tightened if necessary once the deployment phase is over.