Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

User authentication options: Using two factor authentication for security

Discover how using two-factor authentication can improve organizational security. Weigh your authentication options and choose the right product for your enterprise.

From tokens to biometrics, there are many user authentication options. Organizations must carefully evaluate the...



Christopher Paidhrin had no difficulty selling an enterprise single sign-on and fingerprint authentication solution to upper management at Southwest Washington Medical Center. Quite simply, it took out the hassle factor of HIPAA compliance.

"By implementing this solution we addressed eight principal requirements and 15 secondary requirements," says Paidhrin, senior security officer for ACS Healthcare Solutions, the IT outsourcing partner to the the hospital.

Regulatory requirements, like HIPAA and new regulations such as Federal Financial Institutions Examination Council (FFIEC) rules, are forcing organizations to scramble for authentication and identity management options. Meanwhile, the Homeland Security Presidential Directive 12 (HSPD 12) mandates that federal agencies must have a single ID card for physical and IT access by Oct. 27.

Because of these new and existing regulations, Information Security and readers rank strengthening authentication as their top ID and access management priority for this year.

More information from

Learn how to establish and maintain an effective identity and access management plan in Identity and Access Management Security School.

Visit our resource center for tips and expert advice on implementing identity management and access control measures.

In general, organizations should consider which regulations impact them and conduct a risk analysis of their systems. From there, they can decide the most appropriate authentication methods to apply so they're protecting systems with sensitive data and meeting regulatory requirements without going overboard.

Tokens, smart cards, biometrics and certificates all offer stronger ways of identifying users, customers and partners. Each has its strengths and weaknesses and costs can be anywhere from $1 to $35 per user. As a result, companies must weigh their costs with the benefits and understand that each solution doesn't necessarily provide sure-fire security.

Password triage

The Southwest Washington Medical Center has one of the busiest emergency rooms on the West Coast with more than 100,000 visits per year. Bogging down personnel with multiple logins and passwords cuts into patient care, which is unacceptable, explains Christopher Paidhrin, senior security officer for ACS Healthcare Solutions.

Enterprise single sign-on was an obvious solution, and Paidhrin decided to go with OneSign ESSO from Imprivata. The rollout, which began in February, lasted four months and focused on 75 of the hospital's 160 applications.

Paidhrin's team began the implementation with the clinical side of the hospital, where each employee logs in to 12 applications. He then took the ESSO solution to the emergency room and rolled out biometric devices in conjunction with the Imprivata technology. According to Paidhrin, the rollout was smooth because out of the box, OneSign ESSO supported biometrics, swipe cards and proximity cards, among other strong authentication mechanisms. More difficult was having the IT infrastructure ready to receive the SSO solution, he says.

"We needed our Active Directory policies in place, and structured processes throughout the IT infrastructure," says Paidhrin. Your security posture is only as strong as the weakest link, he says.

--Kelley Damore

How do security tokens work?
Used in combination with a user name and password, tokens are a popular means of strong, two-factor authentication (something you know and something you have). There is a wide variety of tokens available, including USB tokens, random-number-generator key fobs that produce one-time passwords, and software tokens that emulate the function of a hardware token on a computing device.

Pros and cons: Among the token choices, the USB tends to be the most cost effective and versatile. The USB reader is standard equipment on today's PCs, so a separate reader is not required as it is for other two-factor authentication methods such as smart cards. Unlike random number generators like RSA Security's SecurID, USB tokens provide storage for various certificates and logon credentials, making them more flexible. RSA Security, Aladdin Knowledge Systems, ActivIdentity (formerly ActivCard), Authenex and SafeNet are a few of the vendors offering USB tokens.

However, implementing tokens isn't easy. Token vendors tend to split up their required client software into several discrete components: one for storing network credentials, another for storing Web site information, and a third for VPN credentials. This leads to a need for separate analysis and versioning control of the different software components to ensure compatibility with enterprise desktops. Plus, users are reluctant to carry yet another hardware device in their pocket to access enterprise services, and can easily lose it. Software tokens avoid that drawback, but can only be used on the host where the software resides.

Another problem with most tokens is that the software may leak user names/passwords onto the hard drive. In addition, it's possible to crash the client software (particularly Java-based software) by overloading the processor with multiple tasks operating simultaneously, or tasks like CAD that require large amounts of CPU and/or memory.

What to do: Depending on their security needs and regulatory requirements, companies may want to deploy USB tokens throughout the enterprise for network logon or just for remote access via a VPN or Citrix system.

How do smart cards work?

A smart card looks like a credit card but contains a small microcontroller attached to an electrically erasable, programmable read-only memory chip. Smart card chip connection is via direct physical contact with a smart card reader, which can be attached to a PC. New generation smart cards also have a math coprocessor integrated with the microcontroller chip that can quickly perform complex encryption routines.

Pros and cons: Price has been a big barrier to the wide deployment of smart cards. When they were first introduced, they cost about $100 each plus the reader and software. While their prices have come down, smart cards use the same chips as USB tokens and consequently have identical functionality. USB tokens, however, are far more convenient to carry and less prone to breakage when carried in a trouser pocket; and the reader is built onto every PC.

What to do: Companies wanting multifunctional ID cards for both physical and network access might consider smart cards. Some vendors offer smart cards that can be used as a proximity badge for building access and also for logical access. Smart cards may become more widespread as federal agencies comply with HSPD 12.

Corporations have long wished for a biometrically authenticated card that provides a user with both physical and logical access. HID offers such a card, but the cost makes the solution prohibitively expensive for all but the most security-conscious environments.

How does biometrics work?

Biometric authentication is based on a physical or behavioral characteristic, including the face, fingerprints, hand geometry, retinas, handwriting and voice. Many computer manufacturers are building in swipe fingerprint readers onto the case of the computer or its keyboard.

At the same time, Trusted Computing Group (TCG) is driving the adoption of the Trusted Platform Module (TPM) chip onto the motherboard of most business-class desktops, laptops and tablet computers. Manufacturers like Dell, Fujitsu, Hewlett-Packard, Intel, Lenovo and Toshiba have joined TCG and support the TPM module. The TPM chip is a microcontroller that stores cryptographic keys, passwords and digital certificates, and is accessed via secure channels built into the client software. Combined with built-in, swipe-based biometric readers, the TPM provides strong authentication and credential storage.

Pros and cons: TPM adoption by the major PC vendors, combined with free client biometric software, is driving down costs dramatically in this market and facilitating enterprise deployment. Standalone biometric readers such as fingerprint, retina and handprint scanners have historically been in the $100 range plus software costs. Currently, only fingerprint readers are being added to PCs at the point of manufacture.

The biometric software typically converts the fingerprint into a series of data points that mathematically represent the fingerprint, but cannot be used to recreate the fingerprint. Vendors vary widely in their implementation of this measurement process. The crossover error rate is a good measure of accuracy of the reader/software combination, but the readers themselves can be susceptible to errors.

Other issues to consider before choosing this type of biometric solution are what's required to effectively deploy and centrally control the required client software, and whether there is reporting to a central server on security events such as unauthorized access. The answers to these questions vary from manufacturer to manufacturer.

What to do: Look first to implement a built-in fingerprint reader/TPM solution for users that are accessing high-value data such as mergers and acquisitions material, technical research and marketing plans. Then consider deploying it in a measured way across the enterprise to other users, keeping in mind the time it takes to deliver client software to thousands of desktops and to enroll users' fingerprints with the readers.

Cost estimates for strong authentication products
Smart cards/PINs/biometrics
$18-$35 per user per year

Hardware and software tokens that display one-time passwords
$3-$25 per user per year

Knowledge based/life questions
$1-$2 per user per year

Source: RSA Security estimates based on size of deployment and any associated software and hardware

How do security certificates work?

Certificates are typically used in conjunction with USB tokens or smart cards but can be implemented separately. A certificate is assigned to a user, a token or a particular machine and is read during the authentication process. Certificates are much more secure than they were a few years ago due to better encryption and more robust certificate stores.

Pros and cons: Certificates tend to be a stronger style of authentication, but come at a much higher cost. The infrastructure typically required in an enterprise (servers, hierarchical certificate server domain deployment and personnel) is pricey to set up and maintain. Third-party vendor-managed services help, but this authentication is still more expensive than most others reviewed here.

What to do: Organizations with extremely high security requirements, such as government agencies handling classified information, will want to consider certificates. Today, there are discrete pockets of certificate implementations, but with the increasing deployment of USB tokens and TPM chips, this sector is expected to grow over the next decade to become nearly ubiquitous.

Safe Mode: Danger Zone
While strong authentication seems failsafe, nearly all of these systems may be bypassed entirely or critically hindered by using a computer's "safe mode."

If an attacker can gain access to the desktop and run a disk editor of any type, he can search for user names and passwords that are commonly left by the authentication software in the paging or temp files of Microsoft Windows. Once he has the user name and password, he can log in as the user with whatever multifactor authentication system is deployed. Unfortunately, users often store their tokens or other authentication devices with their computer, making it easy for an intruder to gain access.

Additionally, the vendor-supplied software of a strong authentication solution must work seamlessly with your network client software. This is easy using Microsoft, but it has the greatest page file leaks. Novell, Sun Microsystems and others are not supported as well by security vendors, but tend to be more secure because they use different network authentication mechanisms.

Using two factor authentication: The time is now
Without a doubt, strong authentication can be expensive, depending on the chosen technology. But losing 20 percent or more of your share value due to a loss of consumer confidence when an executive's laptop is stolen and thousands of private data records are exposed is even more costly -- so using two factor authentication is a suggested security practice.

Authentication technology has improved greatly over the past two years and will continue to do so. The associated software continues to be a source of failure, though it is also improving. The total cost of ownership due to administrative costs is still too high, but is dropping.

The regulations are in place, and it is time to provide our businesses and clients with a stronger sense of security via better authentication.


Article 6 of 19

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All