How Much Authentication Is Right For You?

For years, organizations have relied primarily on username and password mechanisms to control access to data, networks, and applications. Recent studies suggest this approach is no longer tenable. 

The Verizon Business 2010 Data Breach Investigations Report found almost 50 percent of network breeches exploited stolen or weak credentials. A Price Waterhouse Coopers study showed 92 percent of firms surveyed had experienced a malicious security breech in 2009, with the average cost for large firms ranging from $440,000 to more than $1 million.

Business 2.0 is good for hackers, too it seems. While a spectrum of increasingly stronger authentication methods are available, each with attendant tradeoffs of security, cost and complexity, many organizations have struggled to find the right solution for their needs. In this article, we will review the state of the art, and attempt to illuminate where the most likely spots are for getting the most risk mitigation value.

Admit it. You feel like your organization could be more secure. You’ve covered the basics with a firewall, desktop AV, spam filter, VPN and some kind of password policy, but you sense that’s not enough.

You know key stroke loggers can be inserted by zero-day attacks and steal passwords. You know website downloads, email attachments, smart phones, thumb drives, nosy coworkers, insecure public WLANs and such are just a few of the ways that passwords can be compromised.  Your organization depends on your network’s dependability and security to keep things running, protect corporate and customer data, and the brand. Unfortunately, your organization also has tight budgets and your team has limited cycles, so your choices are not exactly unlimited. What to do?

The best you can, basically. Let’s examine a continuum of secure authentication choices to see if any can be found that offer a natural sweet spot on the risk-mitigation-bang-for-the-buck meter.

First, let’s define terms. In general, our continuum measures “identity assurance.”  This is the likelihood that the authenticating party is who they say they are. It is not an absolute term, but rather a rough gauge of increasing probability. Given cost and cumbersomeness considerations, most organizations will choose some point along the continuum to meet their individualized needs based on compliance, brand risk, competitive environment, diversity of network user types and such.

Secondly, let’s also assume that an organization may need differing levels of identity assurance for different user populations. Partners who log on to your network to get technical information may not need much identity assurance at all.

Conversely, partners who access your supply chain management system probably need to be strongly authenticated. VIP employees (e.g., Finance, HR, IT) whose credentials offer “keys to the kingdom” should require or justify very strong authentication and extra measures. Consequently, many organizations will seek an identity assurance approach that allows them to segment their user communities according to needs and cost considerations.

The Identity Assurance Continuum
So, let’s take a look at this continuum. It used to be static passwords were the “norm.” Then, when dictionary attacks showed many users had opted for weak or easily-guessed passwords, password policy evolved to require longer, stronger passwords, not found in common password dictionaries, and changed regularly. This helped. Then, as users began to have to track dozens of credentials for professional and personal accounts, password reuse became an issue. In essence, if you used the same password for the corporate network, eTrade and Facebook, and Facebook was hacked…the other accounts could be compromised as well.

One of the responses to this is to track unique hardware or behavior of the end user, and to check at the instantiation of a session to confirm those known hardware or behavioral traits are again present. These techniques are software-based, and therefore relatively affordable. This may be done by using device ID (MAC numbers, hard drive serial numbers and such).

This may track geolocation traits (are you logging in from Poughkeepsie again, or suddenly from Nigeria). This may track the millisecond timing rhythm of how you input your password, almost like handwriting analysis. Notice none of these are foolproof. Legitimate users sometimes change hardware or login from a different machine. Legitimate users sometimes travel. Legitimate users sometimes login one-handed while eating a sandwich. Consequently, most device ID or behavior tracking identity assurance has to have a back up method to increase identity assurance when they can’t confirm the user.

Knowledge-based identity assurance seeks to get the user to type or click something other than a password to reduce the odds of fraud. It may be the proverbial mother’s maiden name, or “What was the name of your first pet?” It may be presenting a set of GIFs and requiring the user to select the particular GIF they previously associated with their credential. These systems tend to be used by online merchants and banks because they require no hardware costs, and in theory users are less likely to forget personalized details.

However, users do forget, bad guys do find the answers to mother’s maiden name, and tech support often gets called up anyway. These systems are less appropriate for frequently accessed accounts because each access increases the chances that the information can be captured just as a password can be logged, learned or guessed. Also they lengthen the login process.

For robust, frequent authentication, one-time password (OTP) tokens are popular. There are several subcategories with their own tradeoffs. All of them require a prompt from the user, and generate a PIN code which is valid for a limited time. Some require the user to press a button. Others require the user to first input a PIN. Some are software-based, thus less costly and easier to distribute, residing on a device the user already owns, but also slightly more vulnerable to compromise. Most OTP tokens are hardware based. Their most common usage today is with VPN authentication.

While it is more difficult to steal an OTP token than just a password, it can and has been done. Rarely are OTP tokens used to authenticate onto Windows itself, or onto networks from inside the building. Once the session is initiated, OTP tokens do not provide additional authentication for transactions within the session, and some experts are concerned about malware and man-in-the-middle attacks possibly exploiting them.

While studies such as the 2010 Verizon Business Data Breech Investigation Report indicate that man-in-the-middle attacks are comparatively rare, they do seem to be increasing, as are spear phishing and other highly targeted threats that might compromise transactions within a session.

Out of band authentication uses a second challenge-response channel, typically an SMS-enabled smart phone, to send the user a temporary PIN to access the network. It can be used for primary authentication but is mostly used only as a backup method. It’s primary security advantage is that it is insular from the laptop, thus providing additional transactional defense when the laptop is compromised.

To authenticate into Windows and transactions within sessions, smart cards have been the gold standard for years. Smart cards (or smart USB keys) embed a tamper proof chip that holds a digital certificate and private key, which are used for authentication during the windows login process, and are almost impossible to hack.

The user inputs a PIN to trigger the process.. Smart cards can also use these keys to digitally sign transactions such as email, and to encrypt emails or contents of hard drives. This is literally military-strength security, but it has gotten much easier to own recently. It tends to cost more per-user to set up and manage without good management tools.

That’s a basic smart card. Smart cards can be packed with more techniques to heighten assurance. Smart cards can generate  OTP. Smart cards can contain an encrypted photo of the card holder, which appears when the card is presented at a checkpoint. Smart cards can contain biometric data such as fingerprint or retina scans, and applets that interface with biometric readers at the device or door at which the user is authenticating. Combined with SSO, smartcards can be used to protect access to enterprise applications.

How Secure? How Costly? How Easy?
As you can see there are many variations on the chestnut of authenticating by using, “…something you have, something you know, and something you are.” How do they stack up against each other? Let’s compare them using three main criteria: How secure? How costly? How easy? Since the ideal solution would be absolutely secure, free, transparent to users and trivial for IT, we’ll award 1 to 5 points on a relative scale for each of these subcriteria with 5 being best in each category.
Our continuum is designed to go from low identity assurance to high. In general lower security is less costly and less complex, but where are the natural sweet spots where security goes up faster than cost or complexity?

Since keystroke loggers can steal any typed password, the first meaningful step up in identity assurance comes when you employ device ID. For consumer applications this is a pretty good step, because it mostly limits risk to people with physical access to your machine, or the ability to remotely control your machine. 

It is relatively low cost and complexity, hence its use by some online banking sites. For Enterprises, it doesn’t do enough to reduce risk from inside threats. It may not meet compliance for PCI-DSS. Device ID scores Security 2, Cost 4 and Ease 4.

The next significant leap in security comes with OTP soft tokens. These couple some device ID to bind the token to a particular machine, but have the advantages of generating an OTP for authentication into VPN and such. These completely invalidate keystroke loggers and inhibit some forms of invasive malware.

Since they are downloaded by end users and self installed to laptops or smart phones (or web browsers for an employee’s home PC), they do not change costs much compared to simple device ID, behavior tracking or geolocation. They are however tied to the machine so if the machine is lost, the soft token goes with it. OTP Soft Tokens score Security 3, Cost 4 and Ease 3.

The next quantum leap up is for hardware OTP tokens. While these cost enterprises more to procure and disseminate, they provide a greater amount of flexibility (one token can facilitate login from multiple machines) and it is less likely both a laptop and OTP token will be lost or stolen at the same time. 

Smartphones can now double as an OTP token,  for one less device to carry. For corporate VPNs, OTP tokens have been the security sweet spot for some time. They are good as far as they go, although some users complain about having to re-authenticate in the middle of sessions from time to time, that is usually because of the VPN software itself. OATH-based open standard tokens have brought the price down, and batteries should last 5-8 years depending on treatment. OTP Hardware Tokens score Security 4, Cost 3 and Ease 3.

The next big step up is to smart cards or smart USB keys. These offer the closest thing to certainty in identity assurance, and when coupled with Enterprise Single Sign-On, can make hundreds of applications as easier, faster and more secure to authenticate into. In fact, entering a smart card PIN is faster than username and password, and generally creates fewer help desk tickets. They do require either a built-in card reader, an external reader, or the use of a USB smart key.

For organizations of medium to large size, they also require a credential management system (CMS) on the back end to automate the creation, updating and revoking of smart card credentials.  Fortunately, there are now CMS appliances that make deployment much faster, easier, and more affordable, so smart cards are heading in a favorable direction and expanding a new sweet spot. Smart Cards (with appliance) score Security 5, Cost 3 and Ease 4.

Few organizations go all the way to biometrics because of the considerable cost and difficulty of set up, and past reliability issues. People with brown eyes can be difficult to retina scan. People over 40 sometimes have worn down fingerprints which do not read well. Biometrics score Security 5, Cost 2 and Ease 2.

Identity Assurance Sweet Spots
Users for whom remote strong authentication is necessary, but where access to machines and budgets are limited may find OTP Soft Tokens provide a reasonable balance of cost, security and convenience.

Users for whom local and remote strong authentication are necessary may find smart cards or smart USB tokens provide excellent security, better ease of use, and improving cost per user with CMS appliance options. SSO also has positive synergies with smart cards.

Hopefully the above review helps you see that you have choices, and can mix and match some approaches to meet the needs of your specific user populations. Most IT managers have to rank whether security, cost, or ease of ownership is most important, and that will inform where you investigate in depth. Best of luck.


  • Until We Meet Again

    A short three years ago we were all pondering whether to attend any tradeshows all thanks to COVID-19. Sorry to bring that nightmare up again, but it seems that little pandemic is in the rear-view mirror, and it’s time to meet again. Read Now

    • ISC West
  • Cyber Hygiene: What it Looks Like for IoT Devices

    Cyber Hygiene: What it Looks Like for IoT Devices

    For our second pillar about the Industrial Internet of Things (IIoT) Pillars of Security, we are going to discuss what cyber hygiene looks like for IoT devices. Read Now

  • ISC West Announces 2023 Keynote Series Speaker Lineup

    The International Security Conference (ISC), in collaboration with premier sponsor Security Industry Association (SIA), announced five of this year’s ISC West Keynote Series speakers. ISC West will kick off its annual conference on March 28 (SIA Education@ISC: March 28-30 | Exhibit Hall: March 29-31) at the Venetian Expo in Las Vegas, Nevada. Read Now

    • ISC West
  • Accelerating Security Modernization

    In recent years, the term “digital transformation” has been one of the most frequently used buzzwords across industries. On its most basic level, it refers to the reimagining of how an organization leverages its technology systems to improve business processes. Read Now

Featured Cybersecurity

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • Dahua 2-Wire IP Video Intercom System

    Dahua 2-Wire IP Video Intercom System

    Dahua Technology is introducing a new line of expandable 2-wire IP video intercom solutions for the North America market. The New 2-wire IP video intercom is more advanced, cost effective, and designed to help businesses increase their security. 3