Multifactor Authentication`s Many OptionsBy Doug Bartholomew | Posted 2008-01-30 Email Print
Username and passwords remain the most common means of authentication in use on enterprise networks and systems.
Username and passwords remain the most common means of authentication in use on enterprise networks and systems. While many security experts have considered passwords insufficient for some time, they survive because of user familiarity, ease of use and large deployment base.
The biggest problems with passwords are users and management. Unless forced, users will often pick weak password combinations and won’t frequently change passwords. Likewise, most enterprise users have eight to 12 unique identities for different systems and applications, meaning they have to remember unique passwords for each. Human nature and memory being what it is, most users write their passwords in notebooks and on Post-it notes, which leads to compromises.
Technically, username-and-password is a two-factor authentication—something you are (yourself) and something you know (password). Adding a third or fourth layer of authentication increases security, especially since higher level authentication methods involve something you have (tokens, certificates, smart cards) or something you are (biometrics, such as iris scanners, fingerprint and palm readers, voice recognition).
Few disagree that multifactor authentication provides stronger security. What has hindered adoption and deployment is often the associated cost. Despite the advancement in biometrics and tokens, their costs remain significantly higher compared with just passwords.
Alternative authentication methods have found their way into limited usage. BioPassword’s “Fist of Sender” method associates a user with unique typing patterns. Other schemes use visual recognition cues and puzzle solving to augment or replace conventional passwords. While these methods have shown promise, they’ve failed to capture significant market share, likely because of the lack of user familiarity and high false-negative rates (people getting locked out of their systems because they cannot remember the correct picture combination).
Regardless of cost, enterprises have adopted limited forms of multifactor authentication for controlling access to sensitive areas, such as data centers, and confidential data. Some online payment and commerce services, such as PayPal, are experimenting with low-cost tokens and digital certificates, believing the public is ready for multifactor authentication to protect their identity and financial data. Perhaps, but previous efforts at driving multifactor authentication adoption have failed. Until the day comes when multifactor authentication is mandated, username-and-password will reign supreme.