Whether they are breaking into your offices or your computer system, criminals will always seek out the weakest link. So it really doesn't matter how good the rest of your security is if you cannot be sure of the identity of those who actually gain access. If the credentials of users logging onto your network can be compromised, you are potentially allowing unauthorised, malicious access and putting your data at risk.
For too long organisations have put their faith in passwords, yet hardly a day goes by without hearing about stolen passwords and other log-in credentials. Google, Microsoft, Sony, Toshiba and Facebook are just some of the high profile names to end up red faced. And even if they are not stolen, passwords can be easily compromised. Despite efforts to educate, many still choose something easy to remember such as a pet name, child or football team. A little bit of guess work or social engineering will often reveal the information.
To strengthen this weak link, 2FA (Two Factor Authentication) has emerged over the last decade as the defacto method for securing remote access to networks, data and applications. When implemented properly, 2FA will not only significantly increase information security, it will also ensure that, for authorised users, gaining access is still quick and simple and doesn't impact negatively on productivity.
It certainly makes sense and sounds like the ideal solution to securing remote access to corporate networks and applications and assets in the cloud. But if it is, then why, despite the continued rise in IT related fraud and the much publicised, and very real, security threats from both external and internal forces, are so many businesses still simply relying on passwords to identify, authenticate and grant access to users?
What is 2FA and does it cost too much?
2FA basically adds another layer of security. To gain access, users need to enter something they know - a username, password or pin - along with something they have. This is typically in the form of a small hardware token that generates a one-time password linked to the specific time you are gaining access. But this second factor can also be a software token, a one-time passcode sent to a mobile phone, a smartcard or a biometric such as a finger print.
The perceived cost of deploying and managing 2FA, along with the difficulty in calculating ROI have certainly proved barriers to adopting 2FA for some organisations.
In fact, the cost of installing and managing a 2FA system can sometimes prove higher than expected. As well as the tangible costs, such as infrastructure changes, the back end systems and the deployment of end user devices, there other costs more difficult to quantify.
These include employing specialist skills, training for IT staff and end users, the cost of managing user credentials and ensuring all software always has the most up to date security patches. Furthermore, even if the internal skills exist, most organisations simply aren't geared up to run a 24×7 service which has to deal with users who find themselves unable to log in late in the evening or over the weekend. The result is often disgruntled users who can't do any work and over-stretched IT support staff.
The simple fact is that deploying an in-house 2FA solution is no walk in the park and can prove costly, which really does make it out of the reach of many SMEs organisations. And when it comes to selling in the idea of 2FA into the business, the difficulty in calculating ROI makes matters worse. Like any security measure, it can be seen more as an insurance policy rather than an enabling technology to make the business more productive and flexible. The real value is protecting against financial and reputational loss from something that may never happen.
Is it too complex to deploy and manage end users?
Most SME organisations or even large corporates simply do not have the internal resources to properly deploy and manage a 2FA solution. And 2FA is never a one size fits all solution. As well as complying with the organisation's security policy and industry standards, a 2FA solution must have the flexibility to adapt to different user requirements and change as the organisation grows and evolves.
To be successful, users have to be happy. 2FA must be seen as an important addition and not a pain in the neck that just makes working more difficult. The first important step in getting this right is to ensure each individual user is given the right credential type for their usage patterns. This means having flexibility in the choice of 2FA technology. For example, hardware tokens are really easy and reliable for frequent users, whereas for more occasional users, receiving an SMS to their mobile phone may be easier.
It is in the area of the user identify life cycle that it perhaps becomes the most complex and time consuming to manage. Every user within an organisation has a unique identity with a lifecycle that runs from the creation of the digital identity, to when that identity is deactivated if the person leaves or changes role. The management of this identity life cycle is essential to the smooth running of 2FA, as well as the user's satisfaction with the solution. With 2FA, there are many stages in the lifecycle and each need to be carefully managed. These include:
- Allocating the user's credentials and access permissions to ensure the right people have the right access rights and permissions and manage this throughout the entire user lifecycle
- Provision credentials to the user, whether that is physical or software tokens. This can be a time consuming and sometimes expensive use of an IT department's time, particularly in the case of physical tokens
- Activating the user account with a PIN they can remember and all the information and help they need
- Authenticating users so they are able to log in reliably every time -with 24/7 support if they need it
- Handling forgotten/lost/broken credentials. This means providing the facility to reset forgotten Pins, disabling lost tokens, emergency access solutions and step-by-step help
- Replacing tokens and other credentials if necessary
- Updated and changing access policies to accommodate role or organisational changes, for example. . All this needs to happen while making sure seamless access policies are in place
- Proactive management and tracking of expiring credentials. Most authentication credentials will have an expiry date and the last thing that users want is for their token to run out when they urgently need to log in
- Suspending user credentials and deleting the user.
Do I even need 2FA?
As with any security measure, 2FA is about getting the balance of security and productivity right. It is essential therefore to understand and asses the risk of what is being accessed and the potential fall-out as a result of unauthorised use. For example, reading an online magazine is clearly a different level of risk to accessing financial information or personal details.
Passwords certainly still have and will always have a role; and for some organisations tightening up on their password policies may be sufficient. However, it is also important to remember that the harder the password is to remember the more strain it puts on the IT helpdesk and the more frustrated users are because they can't gain access. Again, the right balance has to be found. After all it's easier for users to have their phone or token with them than it is to remember a 12 character randomly generated password with letters and numbers that change every month.
Looking at all of this, maybe it's easier to understand why not everyone is doing 2FA. But thankfully there is another way. 2FA can be implemented as a fully managed service that removes all the complexity, eliminates the need for large up front costs or the provision of new skills and simplifies management of the entire solution and identity life cycle.
A hosted service also ensures the service is always up and running, provides 24/7 user support and has the flexibility to provide the different credentials each user needs and to scale up and down according to organisational needs.
All of a sudden, 2FA becomes affordable and manageable for companies with less than 5 users as well as large corporates with thousands of users.