Passwords have been at the heart of so many data breaches and network break-ins that no one is surprised when someone points the finger at weak, shared or stolen passwords. But unlike the weather, we can do something about passwords.
Security experts have advocated multifactor authentication for decades. Early efforts were clumsy, expensive and difficult to integrate with mainframe applications. But security vendors such as RSA Security, Symantec and CA Technologies have worked hard to drive down both cost and complexity, helped by a wide variety of authentication-focused vendors, such as VASCO Data Security and SafeNet/Gemalto, and Intel.
Traditional multifactor authentication has always created conflict between ease of use and overall security. Smart cards and token cards are considered highly secure but inconvenient for the end user, slowing down login time or simply failing to operate. On the other hand, fingerprint or retina readers are easy and convenient, with trade-offs in lower level security and privacy concerns.
Intel Authenticate, built into the 6th Generation Core and Core vPro processors announced in January, isn’t a new type of multifactor authentication, but it does improve security for existing methods by moving multifactor authentication into hardware. By storing biometric and credential information there, Intel moves some authentication operations into the CPU and away from the operating system, allowing IT managers with newer PCs (and Active Directory) to reduce risk when using Intel Authenticate to deploy multifactor authentication. The deployment, of course, takes some planning. Here are some ways to simplify the task, improve satisfaction and the chances of success.
Changing authentication is a big step, and trying to do it for everyone at once will guarantee failure. Identify user groups and particular applications that can be early adopters without putting day-to-day operations at risk. Roll out to those groups or application users first, then add other users gradually as support teams become comfortable with the technology.
Partial deployment can be a good long-term strategy. Multifactor authentication reduces overall risk, and if some applications or user groups are especially low-risk, there’s no reason to roll out multifactor authentication to everyone. Building multifactor authentication on top of an existing directory service, such as Active Directory, will make it easier to keep things in sync and minimize costs.
In other words, let authentication drive authorization. When designing the deployment, ensure that the type of authentication employed by a user can be detected by applications and operating systems. That allows teams to communicate the level of trust of the user and will serve as a double-check that no one is coming in through back channels.
Virtual private network users are a particularly high-risk population because of the relative anonymity of the Internet and the higher likelihood of device or password loss when someone is on the road. Organizations could require multifactor authentication in VPN servers for access to high-value resources, such as SharePoint workspaces, while leaving standard username and password access to low-value applications, such as the organization’s intranet web servers.
There is no question that multifactor authentication is more cumbersome than a simple username and password; however, advances in single sign-on technology have reduced the number of times that users need to log on. Cut the number of logins down each day, and people won’t mind so much if their first one takes longer or is a little harder.
Getting single sign-on to work properly across web-based applications should be a starting point before deploying multifactor authentication.
Single sign-on doesn’t just make people happier, it also makes things more secure. When single sign-on is properly deployed, users can’t log in to applications with borrowed (or stolen) credentials, reducing the risk of inappropriate access even further.
Mobility is a requirement for most enterprises and most applications. The Windows domain-joined PC is great onsite and as a work notebook, but end users want easy access from a wider variety of devices in an ever-increasing number of locations.
Tools such as Intel Authenticate help in many environments, but not all — and any authentication solution you design must not move mobile users backward.
One approach is to make clear distinctions between high-risk and low-risk applications, then require full multifactor authentication — built using Intel Authenticate and running on enterprise-managed systems — for high-risk applications. An alternative would be to support multiple multifactor authentication systems.