This content is part of the Buyer's Guide: Multifactor authentication: A buyer's guide to MFA products
Get started Bring yourself up to speed with our introductory content.

Introduction to multifactor authentication methods in the enterprise

Expert David Strom looks at multifactor authentication (MFA) methods and how the technologies have evolved from key fobs to smartphones and mobile devices.

Older than the Web itself, multifactor authentication is an IT security technology method that requires people to provide multiple forms of identification or information to confirm the legitimacy of their identity for an online transaction or in order to gain access to a corporate application. The goal of multifactor authentication methods is to increase the difficulty with which an adversary can exploit the login process to freely roam around personal or corporate networks and compromise computers to steal confidential information, or worse.

Simply put, multifactor authentication takes something that only each individual user possesses (a fingerprint, a voice print, a key fob, a security code, or a piece of software on a smartphone) and combines that with another factor, something the user knows (such as the usual username/password login dialog) to prove that he or she is legitimately who they seem.

Multifactor authentication used to be called two-factor authentication, but nowadays, there are so many different factors that can be employed for additional security, the former has become the preferred nomenclature over the latter. Many in IT probably remember the biometric hand scanners that secure many a data center entry point as their first brush with these sorts of devices.

MFA tokens: From key fobs to smartphones

For employees on the move, one-time password generators that come in the shape of key fobs with a small LCD screen and a button first came into vogue during the early days of multifactor authentication more than a decade ago. When a user presses the button, the screen on the key fob displays a sequence of numbers for 30 seconds. The user must then accurately type this sequence during that time period into the application or resource they are attempting to access.

The passcodes generated by key fobs are checked against a server located on the enterprise network to ensure that they match. This server runs the identity management processes, sets up various security policies and connects the tokens with user directory stores such as Active Directory or RADIUS.

If an entered number sequence matches, the user is allowed access. If not, he or she must start over by once again pressing the button on the key fob to generate a whole new passcode.

While these tokens were fine as a multifactor solution early on and are, in fact, still used in some quarters, key fobs today are considered to be a somewhat dated technology. They aren't perfect, either: Take for example, the sophisticated phishing attack called Emmental (after the Swiss cheese) that was used earlier this year that combined a rogue certificate with a man-in-the-middle attack on a two-factor authentication login. 

Keeping track of tokens such as key fobs is cumbersome as well, and a user may not have a required token on hand when he or she needs to log in somewhere. Also, there's the added burden of needing to deactivate to terminate access as users leave a company, or as key fobs become lost.

The answer to these problems? Smartphones.

Various smartphone apps have been built to generate the same one-time passwords as key fobs, and can help alleviate the above issues. And, as Apple and Google add fingerprint sensors to their phones, the second factor can move beyond simple one-time numeric passwords to recognizing a digital copy of a user's fingerprint from a smartphone's built-in scanner.

Additional types of second factors enabled by smartphones and other mobile devices include using SMS texts, emails and cameras to scan a QR code that is displayed on the webpage when trying to sign into an application or resource or perform a transaction.

The growing appeal of multifactor authentication

As passwords have become insecure, multifactor tools have widened their use from the original core of IT workers to just about everyone in many large enterprises, especially where personal information is being consumed. They have also gone beyond the initial identity management tools and are now common with single sign-on products too.

On top of this, with the proliferation of software-as-a-service (SaaS)-based Web services and the number of reused passwords, multifactor authentication methods have become more important and have broadened their appeal to SMBs. In addition, the likes of Facebook, LinkedIn, Twitter, Gmail, Apple and numerous other vendors have adopted these tools to secure their own logins.

If enterprises haven't gotten involved in using and supporting multifactor tools yet, they will find they require some effort to configure and deploy. The tools have lots of moving parts and enterprises will need specialists from different parts of their IT organization to coordinate and configure the infrastructure and get protected logins working properly. 

While today's newer multifactor authentication tools are somewhat easier to manage, they still involve some integration effort. To that point, some of these products include various software agents that can protect VPNs, Sharepoint servers, Outlook Web App and database servers, for example

Finally, a relatively recent development has moved the traditional hardware-based onsite multifactor servers into the cloud. Most multifactor solution vendors offer both options, and they are seeing customers choosing offsite deployments more than ever before thanks to the flexibility the cloud engenders in terms of support and management.

The cost of multifactor authentication pricing models

Typical costs for deploying multifactor authentication solutions are a few dollars per month, per token. However, this can add up to multiple tens of thousands of dollars per year for companies that have a lot of users or tokens, or both.

Complicating the picture is how each vendor has a different way to calculate the bottom-line price: there are quantity discounts, multi-year price breaks and 24x7 support fees. Some charge on a per-token basis (with differing rates for hard or soft tokens), while some do so on a per-user or per-server basis. Others have prices for added components or integration layers.

Certainly, multifactor authentication tools are worth the hassle, especially as the number of password exploits continues to rise and grab headlines. Businesses need better ways to protect user login information beyond the simple username/password combination. 

A quick survey of the current landscape highlights how multifactor authentication technology is being used in more and more places. Just look at the number of deployments by various consumer SaaS and social media services today. The combination of a robust multifactor authentication product landscape and users' awareness of the importance of strong authentication means there's likely never been a more favorable time for enterprises to consider multifactor authentication.

Next Steps

Read David Strom’s reviews of the latest multifactor authentication methods:
Symantec’s Validation and ID Protection (VIP) Service
Vasco’s IDENTIKEY Server v3.6
Dell Defender
Okta Verify
SecureAuth IdP v8.0
CA Strong Authentication
SafeNet Authentication Service
EMC RSA Authentication Manager and SecurID

Learn more about the link between multifactor authentication key and cloud security success

Apple improves iCloud two-factor authentication

This was last published in October 2014

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It is time to make a step forward and leverage a Device identity model. The users collection of devices can provide the redundancy and security that is necessary. In addition, Most modern devices have a hardware token capability built-in with TPM or TEE.
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.