In the trenches

Token support isn't enough

Hidden costs can derail strong authentication rollouts

Implementing strong authentication is about planning, education and simply accounting for the foibles of human nature.

One of the most common stumbling blocks is user acceptance and the resulting support costs to roll out such an implementation.

"It simply makes authentication harder," says Peter Gregory, a senior security specialist at a company that provides on-demand business services. "There are more pieces on the critical path for a user who needs to access systems.

"There are difficulties simply because people can't find the token, they lose the token, they accidentally drop the token in water, etc. All of this translates into support costs," says Gregory.

As a result, security managers should have a detailed, mapped-out plan, according to users who have gone through this process.

"Support personnel including help...

BROWSE BY TAG Features,   PKI and Digital Certificates,   User Authentication Services,   Enterprise Identity and Access Management,   Security Token and Smart Card Technology,   VIEW ALL TAGS

Gregory agrees, and adds that companies need to account for all the hidden costs. The cost of implementation--getting people trained, provisioned and supporting them--probably exceeds the cost of the token itself.

Depending on the size of the organization and type of authentication used, training can be cumbersome.

Training and rollout can be especially difficult when large organizations try to do it en masse. "It's usually an all-or-nothing deal," explains Woerner. "In large organizations, it requires a lot of coordination to ensure there are no gaps."

Furthermore, with today's highly distributed workforce, logistical rollouts aren't simple. You can't walk down the hall and hand out tokens. It makes it more time consuming, Gregory says.

And while the second factor provides additional security, it is not foolproof. "For fobs or number generators, there is still a worry that the second factor does not necessarily ensure that it is really the user in question. I can steal a fob and with some other social engineering I can log in to the system," says Ernie Hayden, CISO of the Port of Seattle.

For that reason, biometric devices are more secure, but also come with their own headaches, Hayden says.

A headache to avoid is a biometric implementation that doesn't integrate with Active Directory or the GINA (Graphical Identification and Authentication) for Windows systems--the primary systems used for user authentication. "You need to be absolutely sure that all aspects of privacy are addressed in the specification, procurement and implementation," says Hayden.

Strong authentication "isn't a panacea but it does close one of the avenues of weakness," says Gregory.

[IMAGE]

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >