Security

Implementing multi-factor authentication: What to consider

Alfonso Barreiro points out the main issues you'll have to consider when implementing multi-factor authentication. These solutions can strengthen security, but only if you design them effectively.

Last week, we examined the basic authentication factors used to validate the identity of a user and their respective strengths and weaknesses. Now we will take a look at some considerations you need to take into account when using them in a multi-factor authentication system.

What is multi-factor authentication?

As its name implies, it’s the use of two or more different authentication factors to verify the identity of the user. Two-factor authentication is the best known implementation, involving exactly two factors. The classic example of two-factor authentication is the ATM card and PIN number combination. It uses “something you have” (the card) and “something you know” (the PIN number). It’s important to note that the factors used must be independent from one another to be considered “true” multi-factor authentication. For example, asking a user for multiple codes from a token does not constitute a multi-factor solution, as it is just using a single factor (the token) multiple times.

Multi-factor authentication reduces risk by involving separate types of factors that would require an attacker to use different methods of attack, making a breach more difficult to succeed. There are several things to consider when using multi-factor authentication effectively.

Cost

The first consideration is cost. Besides the direct costs of purchasing and licensing, there can be other hidden costs involved. For example, you might need to take into account the cost of distributing hardware (tokens, smart cards or biometric readers) or the logistical costs involved in the biometric enrollment process. Support costs must also be taken into account, because it is very likely that there will be an increase of support calls, even after the initial deployment.

Evaluating the costs of your intended solution will help prevent situations where the cost exceeds the value you’re getting. This is true in organizations that do not have a proper risk assessment and therefore are not clear on what their most important data or assets are or where it resides. Of course, there are also scenarios where you just have to accept the costs as normal operating cost, especially in highly regulated industries such as financial institutions.

User acceptance

This consideration could also easily be called “user resistance”. Take for example the resistance some users have to biometric scanning of any kind. Another example is when users balk at being issued bulky hardware tokens or when being asked to perform steps that disrupt their daily routine. Some of these objections can be addressed with a proper governance policy; others issues may need a bit of evangelizing in order to address them or change user perceptions.

You must also be clear on who are the intended users of the solution, their level of technical expertise, and the type of software and hardware they might be using. For instance, internal users will probably be using standard hardware and software provided by your organization, so that can help in your planning and narrow down a specific solution that can take advantage of what you already have. Conversely, if the users are external to the organization, you may not have a complete picture of their hardware and software setups, so you will have to look for a solution that can be used in a wider variety of platforms.

Supporting processes

Before the initial deployment, the day to day supporting processes should be in place to ensure user satisfaction. Take, for example, that by including a “something the user knows” factor into your solution, you are not eliminating the problem of users forgetting their passwords or PIN code, therefore you must have a process in place for resetting users’ passwords. Other processes will be needed, but they will depend on the selected authentication factors. Here are some that you may need to consider:

  • The revocation of tokens or certificates.
  • Reporting loss or theft and the subsequent actions.
  • Replacement procedures in case of damage or failure.

Also, be careful of providing backdoors to bypass your authentication system. It might be tempting to have a backdoor “just in case”, but it could end up becoming a case of locking the front door and leaving the backdoor open (pun fully intended).

Solution security

It might sound a bit redundant to check the security of your solution to increase authentication security, but it is important to verify that you are not simply shifting the location of the weak link. There are products that store credentials in plain text, either in a token or a smart card or in the backend servers. This could be especially dangerous for biometric data, because, as we discussed previously, it is very difficult to change in case of a compromise.

Your mileage may vary

There are many different scenarios in which you can apply a multi-factor authentication system, and many more combinations of the different factors, but hopefully this guide can help you in designing an effective solution for your needs.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

7 comments
multifactorguru
multifactorguru

Great article, the part about user acceptance is personally where I see the biggest need in security. I think once people comprehend that they could easily become a victim, we will see less resistance to the much need security gained from multi-factor authentication.

LauraDeitch
LauraDeitch

Recently I heard about two-factor authentication product of TeleSign which works with any phone and can be deployed worldwide. Since TeleSign???s Two Factor Authentication is widely deployed, users are already comfortable with the process. Few months ago I heard about two-factor authentication product of TeleSign being deployed by Salesforce for Security and Identity. Watch the demo of Salesforce with TeleSign's Two-Factor Authentication at http://www.telesign.com/news-and-events/blog/salesforce-demos-telesigns-two-factor-authentication/

brendonjwilson
brendonjwilson

In addition to two-factor authentication, companies can implement more intelligent and transparent mechanisms to authentication a user. As a Symantec employee, it???s my job to help two-factor authentication solutions become more effective and easy to use, so that users can feel safe interacting online, and organizations can more easily and transparently keep users??? information safe. These authentication solutions examine other information about the user???s device, their physical or network location, and their login behavior, and compare it against a historical profile before letting a user into their systems. This provides even more protection against online threats, whether it???s to a person???s phone, computer or tablet.

Alan_
Alan_

When the authentication device expires and needs replaced or the solution software is upgraded but doesn't carry forward the existing software keys it is important to understand "what disruption might be caused to the organization?" to effect the needed replacements / upgrades. In the case of RSA used with Windows it is, or at least was, necessary for the Windows password to be secure as well. Otherwise someone without RSA client install could connect and hack accounts using Windows authentication. But make the users' Windows password secure so that hack won't work, don't record it anywhere (standard practice), know they'll forget it because now users only need PIN and token code to authenticate. Works great until the Windows password is needed at some juncture. (From experience this happened organization wide at least twice in 6 years.) Now, to issue new tokens or deploy updated client software, the users' Windows passwords all need to be reset as well. A major support effort compounded by many users being mobile and not in contact with support on a routine basis. On Windows platform my suggestion would be identify how the solution addresses management of Windows passwords so such support nightmares don't happen if system wide token or client software replacement is requirement. My objective would be to identify a product that can "replay" the Windows password when needed in such scenarios (which is what effectively happens when authenticating anyway) or find a solution that actually replaces the Windows authentication mechanism and doesn't just shim itself into it.

mwclarke1
mwclarke1

I would be interested in hearing what everyone is using today. Currently using RSA SecureID soft and hard tokens.

Alan_
Alan_

I'm not certain there are two factor mechanisms that can be readily implemented by individuals so I'm interpreting your comment as applying to organizations. Yes I've seen that people are resistant to change but that seems to be the human condition in general. We celebrate tradition. The resistance I've experienced is two fold, resistance to change as you've identified, and resistance to spending money. Two factor authentication is an added cost no matter the computing infrastructure in place. Overcoming resistance to change is the first hurdle. Allocating extra $ to implement and support 2 factor when there's "already passwords" is a management challenge. Depending who controls the $, who the users complain to about their job being harder and what part of the organization drives revenue IT (often) may not have the resources or authority to implement 2 factor. In these cases IT must have strong partnerships with the other areas of the business if 2 factor will be implemented and succeed. I don't believe it's only the users.

multifactorguru
multifactorguru

Definitely true, I was speaking about the individuals. I guess the reason why I never formulated money into the equation on the business end is because the cost of a company's reputation is priceless and becoming the focal point of the data breach topic does not help your company's reputation much. I love the last paragraph of your reply though Alan. IT seems to go unheard in many discussions in my opinion and it is definitely not solely on the user but their addition to the discussion helps to push execs to make the right decision.