Why wait for FIDO? Multifactor authentication methods you can use now

FIDO-ready tech could take a while, but there are a variety of multifactor authentication methods available now to make your logins secure.

As the first FIDO-ready technology starts to emerge, the specifications the Fast Identity Online (FIDO) Alliance...

proposes represent just the latest effort to provide stronger authentication mechanisms. Multifactor authentication continues to evolve, and these technologies can offer a layered defense to enterprises that seek better tools to manage passwords and online authentication.

One form of two-factor authentication requires hardware-based security tokens that people carry around and use as part of the authentication process. These smartcards or key fobs display a series of numbers that are only valid for a short time, and they have to be entered correctly for users to successfully log in to network and online systems. RSA's SecurID is one well-known version, although dozens of vendors supply hardware-based tokens.

In recent years, soft tokens have become more popular than the hardware-based type. Using either an app on a smartphone, or the phone itself, soft tokens supply a secret code for the login authentication.

FIDO alternatives

The first public drafts of the FIDO specifications appeared in February. If you don't want to wait for FIDO, one of these multifactor authentication products might be the ticket for more secure logins. The downside is that if you have multiple apps that need the stronger security, you have to add the security to each one individually.

Most of the two-factor authentication tools use one of three methods: securing a RADIUS or Active Directory user's identity (see Fig. 1); providing identity information to a Web service using some form of SAML (Security Assertion Markup Language) and trusted certificates; or securing logins to a local network Web or application server itself using JavaScript or some other mechanism. Some vendors support multiple methods; Vasco, SafeNet and Microsoft support all three. (This is where FIDO will eventually shine, by the way, because many of these issues go away.)

Let's look at Microsoft's Azure Multi-Factor Authentication, which comes with a cloud-based service and Windows agents and supports a variety of mobile phones including Windows, Android and iOS. After you log in to a server that it installed, the service will call your phone and ask you to press the # key to verify your identity. The Microsoft authentication server can also send you a text message or send a notification to a smartphone app. 

The simplest process is to add the authentication to your Windows servers; if you have a third-party Web server you'll have to use the supplied SDK.

PhoneFactor Agent

Figure 1. Microsoft’s authenticator main agent dashboard shows you the level of granularity and potential configuration parameters needed.

You'll need to understand Microsoft servers, the .NET Framework and Active Directory to implement the Microsoft authentication system. Debugging the Windows agent is complicated: There are text configuration files to edit, check boxes to uncheck and dozens of parameters that could trip you up, all spread across multiple menu screens. The service costs $24 per user per year; you can find more details available here.

FIDO-ready technology is coming and should provide good security. But in the meantime it's important to keep your logins secure. Hardware tokens and soft tokens, available right now, are your best options.

About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.

Next Steps

Learn more about the basics of multifactor authentication in the enterprise

Read this comparison of the latest multifactor authentication methods

Check out David Strom's reviews of CA Strong Authentication, RSA Authentication Manager and SecurID, Dell Defender and Okta Verify.

This was last published in April 2014

Dig Deeper on Two-factor and multifactor authentication strategies