As the first FIDO-ready technology starts to emerge, the specifications the Fast Identity Online (FIDO) Alliance proposes represent just the latest effort to provide stronger authentication mechanisms. Multifactor authentication continues to evolve, and these technologies can offer a layered defense to enterprises that seek better tools to manage passwords and online authentication.
One form of two-factor authentication requires hardware-based security tokens that people carry around and use as part of the authentication process. These smartcards or key fobs display a series of numbers that are only valid for a short time, and they have to be entered correctly for users to successfully log in to network and online systems. RSA's SecurID is one well-known version, although dozens of vendors supply hardware-based tokens.
In recent years, soft tokens have become more popular than the hardware-based type. Using either an app on a smartphone, or the phone itself, soft tokens supply a secret code for the login authentication.
The first public drafts of the FIDO specifications appeared in February. If you don't want to wait for FIDO, one of these multifactor authentication products might be the ticket for more secure logins. The downside is that if you have multiple apps that need the stronger security, you have to add the security to each one individually.
Let's look at Microsoft's Azure Multi-Factor Authentication, which comes with a cloud-based service and Windows agents and supports a variety of mobile phones including Windows, Android and iOS. After you log in to a server that it installed, the service will call your phone and ask you to press the # key to verify your identity. The Microsoft authentication server can also send you a text message or send a notification to a smartphone app.
The simplest process is to add the authentication to your Windows servers; if you have a third-party Web server you'll have to use the supplied SDK.
Figure 1. Microsoft’s authenticator main agent dashboard shows you the level of granularity and potential configuration parameters needed.
You'll need to understand Microsoft servers, the .NET Framework and Active Directory to implement the Microsoft authentication system. Debugging the Windows agent is complicated: There are text configuration files to edit, check boxes to uncheck and dozens of parameters that could trip you up, all spread across multiple menu screens. The service costs $24 per user per year; you can find more details available here.
FIDO-ready technology is coming and should provide good security. But in the meantime it's important to keep your logins secure. Hardware tokens and soft tokens, available right now, are your best options.
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.