Operations: 2FA

2FA or not 2FA?

Dave Abraham, CEO of Signify, looks at two-factor authentication and examines why it is not used by everyone.

Whether breaking into your offices or your computer system, criminals always seek out the weakest link. So it doesn’t matter how good the rest of your security is if you cannot be sure of the identity of those who actually gain access. If the credentials of users logging on to your network can be compromised, you are potentially allowing unauthorised, malicious access and putting data at risk. 

For too long, organisations have put their faith in passwords, yet hardly a day goes by without hearing about stolen passwords and other log-in credentials. Google, Microsoft, Sony, Toshiba and Facebook are just some of the high-profile names to end up red-faced. And even if they are not stolen, passwords can be easily compromised. Despite efforts to educate, many still choose something easy to remember; and a little bit of guesswork or social engineering means the information can easily be revealed.

To strengthen this weak link, 2FA (two-factor authentication) has emerged as the de facto method for securing remote access to networks, data and applications. When implemented properly, 2FA will not only significantly increase information security; it will ensure authorised users can quickly and easily gain access.

It certainly makes sense and sounds like the solution to securing remote access to corporate networks, applications and assets in the cloud. But if it is, then why, despite the continued rise in IT-related fraud and the much publicised and very real security threats from both external and internal forces, are so many businesses still just relying on passwords?

What is 2FA and does it cost too much?

With 2FA, to gain access users need to enter something they know—a username, password or pin—along with something they have. This is typically a hardware token that generates a one-time password linked to the specific time you are gaining access, but can also be software token, a one-time passcode sent to a mobile phone, a smartcard or a fingerprint.

The perceived cost of deploying and managing 2FA, along with the difficulty in calculating ROI, has certainly proved to be a barrier to adopting 2FA for some organisations.

In fact, the cost of installing and managing a 2FA system can sometimes prove higher than expected. As well as the tangible costs, such as infrastructure changes, the back-end systems and the deployment of end user devices, there are more difficult to quantify costs. These include employing specialist skills, training, managing user credentials and ensuring all software has up-to-date security patches. Furthermore, most organisations simply aren’t geared up to run a 24/7 service that needs to deal with users unable to log-in at odd hours. The result is often disgruntled users and over-stretched IT support staff.

Deploying an in-house 2FA solution is no walk in the park and can prove costly, making it out of reach for many SMEs. And when it comes to selling the idea of 2FA into the business, the difficulty in calculating ROI makes matters worse. Like any security measure, it can be seen more as an insurance policy than an enabling technology to make the business more productive and flexible.

Is it too complex to deploy and manage?

Most SMEs, or even large corporations, don’t have the internal resources to properly deploy and manage a 2FA solution.

2FA is never a one-size-fits-all solution and as well as complying with the organisation’s security policy and industry standards, it should be flexible enough to adapt to different user requirements and change with the organisation.

To be successful, users have to be happy. 2FA must be seen as an important addition, not a pain in the neck. The first step is to ensure each user has the right credential type for their usage patterns. This means having a choice of 2FA technology. For example, hardware tokens are easy and reliable for frequent users, whereas for more occasional users, receiving an SMS is preferable. 

It is in the area of user identify lifecycle that it is the most complex and time consuming to manage. Every user has a unique identity with a lifecycle that runs from the creation of the digital identity through to deactivation. The management of this identity lifecycle is essential to the smooth running of 2FA as well as user satisfaction. There are many stages in the lifecycle and each need to be carefully managed. These include: setting up a new user, allocating permissions, provisioning tokens, activating PINs, dealing with lost or stolen tokens, proactive management of users’ credentials, putting policies and procedures in place and terminating credentials at the end of the lifecycle.

Do I even need 2FA?

2FA is about getting the balance of security and productivity right, so it’s essential to assess the risk of information being accessed and the potential fall-out as a result of unauthorised use. For example, reading an online magazine has a different level of risk to accessing online banking.

Passwords still have a role and for some organisations tightening policies may be sufficient. However, it is important to remember that the harder the password is to remember, the more strain it puts on the IT helpdesk and the more frustrated users may become. Again, the right balance has to be found. After all, it’s easier for users to have their phone or token with them than it is to remember a 12-character, randomly generated password change every month.

Looking at all of this, maybe it’s easier to understand why not everyone is doing 2FA. But there is another way: 2FA can be implemented as a fully-managed service that removes the complexity, eliminates large up-front costs and the provision of new skills, and simplifies management of the solution and identity lifecycle. A hosted service also ensures the service is always up and running, provides 24/7 user support and has the flexibility to provide the different credentials each user needs and to scale up and down according to organisational needs.

All of a sudden, 2FA becomes affordable and manageable for any size of business.

Dave Abraham is CEO and co-founder of Cambridge-based Signify, the secure authentication service. Signify helps organisations to secure their staff’s remote access by providing two-factor authentication as a hosted cloud service. http://www.signify.net/