To a small and medium-sized business (SMB), setting up a two-factor authentication system can be scary. There's extra hardware to buy and the maintenance could be a nightmare. It's enough to stop an SMB with a limited budget and no dedicated information security staff from even considering implementation of two-factor authentication.
Before going the two-factor route, there are two things the SMB needs to understand: exactly what two-factor authentication is, and what the risks it's trying to protect against are.
What is two-factor authentication?
Two-factor authentication provides a multilayered defense, or a defense in depth. If one factor is breached, the other factor, hopefully, will block a malicious user from accessing the system.
There are three factors in authentication: something you know, something you have and something you are. An example of something you know is a user ID and password. Something you have could be a one-time password (OTP) token, a smart card or a similar device that stores authentication credentials. Something you are is a physical characteristic. These devices are called biometrics and can read fingerprints, facial or voice patterns, or some other measurable body characteristic, such as an iris pattern.
Two-factor authentication is two of these factors together in a single authentication system. For example, a user would enter a user ID and password onto a Web site, and then would be asked for the value from an OTP token.
Determining the risks
Next, do a thorough risk analysis of what the system is supposed to protect. This must be done before even considering implementing two-factor authentication. If the risk of data loss is low, or the data isn't valuable, then a two-factor setup might be overkill. Risk analysis involves first creating a data classification standard. This should be part of every SMB's information security policy and should, at the least, have a minimum of three levels of risk: low, medium and high. Classification defines which data fits into which category.
Publicly available information, such as marketing brochures and advertisements, would be low risk. Data about company plans and processes might be medium risk -- loss of such information could put the company at a competitive disadvantage but maybe not out of business. Customer information, including Social Security numbers or account numbers, is high risk. The loss of customer data could lead to identity theft and, as a result, lawsuits or other liabilities against the company.
After classifying your data, determine the purpose of the authentication system. Is it to protect against real breaches that have occurred in the past or others that might be expected in the future? Is it for meeting compliance requirements like those of the Federal Financial Institutions Examination Council (FFIEC) for two-factor authentication for banking Web sites? Is it for protecting financial transactions on a Web site, or for remote access for your traveling users who might be logging in from their laptops at an airport or hotel?
The FFIEC guidelines have a broader interpretation of two-factor authentication that includes fraud-monitoring systems, which operate on the back end and are invisible to the user. These aren't true two-factor systems, since they don't use a token or device but provide the same protection. For protecting remote access, a more traditional approach using a device or a smart card might be in order.
Here are some well-known products in the market that SMBs might consider for implementing two-factor authentication:
As a smart card, the eToken can hold a digital certificate and integrate into a public key infrastructure system. The device can be managed centrally with the Aladdin Token Management System.
Between flexible token alternatives, managed authentication services and low-cost cards and devices, SMBs have a variety of options for implementing two-factor authentication.
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He is also the author of the IT Security Guy blog at http://www.theitsecurityguy.com.