Two-factor authentication best practices for SMBs

Two-factor authentication best practices for SMBs

Joel Dubin, CISSP, Contributor
To a small and medium-sized business (SMB), setting up a two-factor authentication system can be scary. There's extra hardware to buy and the maintenance could be a nightmare. It's enough to stop an

    Requires Free Membership to View

    Login

    When you register you’ll also receive the latest news, advice and technical tips designed specifically for midmarket IT leaders like yourself. Our award-winning editorial team will give you immediate access to emerging business and technology trends.

    Scot Petersen, Editorial Director, SearchCIO-Midmarket

    By submitting your registration information to SearchCIO-MidMarket.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCIO-MidMarket.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SMB with a limited budget and no dedicated information security staff from even considering implementation of two-factor authentication.

More on IT security
Security, disaster recovery top SMB predictions

Podcast: IT security -- the 2007 outlook for SMBs
But there are affordable tools in the market that even a cash-strapped SMB can handle. These tools require little maintenance and overhead and can be managed easily by your existing IT staff, no matter how small. Two-factor authentication has even become an item that can be outsourced, saving the cost of investing in expensive infrastructure.

Before going the two-factor route, there are two things the SMB needs to understand: exactly what two-factor authentication is, and what the risks it's trying to protect against are.

What is two-factor authentication?

Two-factor authentication provides a multilayered defense, or a defense in depth. If one factor is breached, the other factor, hopefully, will block a malicious user from accessing the system.

There are three factors in authentication: something you know, something you have and something you are. An example of something you know is a user ID and password. Something you have could be a one-time password (OTP) token, a smart card or a similar device that stores authentication credentials. Something you are is a physical characteristic. These devices are called biometrics and can read fingerprints, facial or voice patterns, or some other measurable body characteristic, such as an iris pattern.

Two-factor authentication is two of these factors together in a single authentication system. For example, a user would enter a user ID and password onto a Web site, and then would be asked for the value from an OTP token.

Determining the risks

Next, do a thorough risk analysis of what the system is supposed to protect. This must be done before even considering implementing two-factor authentication. If the risk of data loss is low, or the data isn't valuable, then a two-factor setup might be overkill. Risk analysis involves first creating a data classification standard. This should be part of every SMB's information security policy and should, at the least, have a minimum of three levels of risk: low, medium and high. Classification defines which data fits into which category.

Publicly available information, such as marketing brochures and advertisements, would be low risk. Data about company plans and processes might be medium risk -- loss of such information could put the company at a competitive disadvantage but maybe not out of business. Customer information, including Social Security numbers or account numbers, is high risk. The loss of customer data could lead to identity theft and, as a result, lawsuits or other liabilities against the company.

After classifying your data, determine the purpose of the authentication system. Is it to protect against real breaches that have occurred in the past or others that might be expected in the future? Is it for meeting compliance requirements like those of the Federal Financial Institutions Examination Council (FFIEC) for two-factor authentication for banking Web sites? Is it for protecting financial transactions on a Web site, or for remote access for your traveling users who might be logging in from their laptops at an airport or hotel?

The FFIEC guidelines have a broader interpretation of two-factor authentication that includes fraud-monitoring systems, which operate on the back end and are invisible to the user. These aren't true two-factor systems, since they don't use a token or device but provide the same protection. For protecting remote access, a more traditional approach using a device or a smart card might be in order.

Buying decisions

Here are some well-known products in the market that SMBs might consider for implementing two-factor authentication:

  • The eToken from Aladdin Knowledge Systems Ltd. is a USB device that connects to a workstation or laptop. The eToken combines both a smart card and an OTP on one device. It differs from the traditional OTP tokens, like those from RSA Security Inc. and Vasco, in that it's more flexible. The RSA SecureID is only an OTP token, while the eToken can be configured to work with more than 150 applications from Aladdin partners. Its battery can also be replaced, giving it a longer life -- unlike a self-enclosed OTP token, which expires when its battery runs out.

    As a smart card, the eToken can hold a digital certificate and integrate into a public key infrastructure system. The device can be managed centrally with the Aladdin Token Management System.

  • CRYPTOCard is a smart card that bills itself as an event-driven rather than time-driven OTP. Traditional OTPs generate a new PIN after a fixed interval, say, every 30 to 60 seconds. The CRYPTOCard shares an encryption key with a server the user installs in-house. The card generates a fresh PIN every time it's inserted into a reader connected to the CRYPTO-Server. Every time the user successfully logs in, the card is already reset to generate the new PIN for the next login. Also, like the eToken, CRYPTOCard has a replaceable battery.

  • CRYPTOCard has another product, CRYPTO-MAS, which provides two-factor authentication as a managed service. This is an attractive approach for an SMB, since it requires no infrastructure, hardware or software installation by the user. The token generates a PIN through its Managed Authentication Service (the MAS in CRYPTO-MAS) for a monthly fee. Since there isn't anything for the user to install or maintain, the user doesn't have to provide staff or technical support -- another plus for thinly staffed SMBs -- and users and tokens can be added or deleted easily through the service.

  • An even cheaper low-tech solution is IdentityGuard from Entrust Inc. in Addison, Texas. This involves a wallet-sized card that looks like a bingo card. It has a grid with a randomly generated series of numbers. When the user logs on with their user ID and password, they're also prompted for a coordinate on the grid. The user then enters the number at that coordinate on the card. The cards are all distinct and each has thousands of combinations of numbers.

    Between flexible token alternatives, managed authentication services and low-cost cards and devices, SMBs have a variety of options for implementing two-factor authentication.

    Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He is also the author of the IT Security Guy blog at http://www.theitsecurityguy.com.

    This was first published in January 2007

    • Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top