Understanding Two-factor Authentication

The notion of using something whose only purpose is to help identify you to computing systems is older than the Web, but it’s gaining traction as the number of phishing and hacking exploits rises. Called two-factor authentication (the first factor is something you know, like a user name and password, while the second is something you have, like a token), this type of security can help enterprise IT managers safeguard their applications. Two-factor authentication can be token- or nontoken-based.

Token Methods

Token methods use a small electronic device, roughly the size of a large USB thumb drive or key fob, with a small LCD screen and a button. When a user presses the button, the screen displays a sequence of numbers for 30 to 60 seconds. The sequence must be typed into the application during that time period. This is called a one-time password. If a user mistypes the sequence, he or she must press the button to get a new sequence.

There are many token vendors, including CryptoCard, Positive Networks, RSA and Secure Computing. They have been around a long time, and millions of tokens are now in use in a wide variety of organizations.

The University of Minnesota distributed more than 5,500 Secure Computing SafeWord tokens in a project begun about a year ago. “A number of users have given us positive feedback because they don’t have to remember as many passwords now,” says Mark Powell, manager of the Office of Information Technology Data Security. The university has custom-branded the tokens with its colors and logo, calling them “M Keys” and setting up a Web site to help students and faculty use the tokens.

Token-based systems have their implementation quirks, mainly in how applications process authentications and interact with enterprise authentication services, such as Radius and Active Directory. “Some of our users had to upgrade to newer versions of desktop software or had to change the desktop software configurations to work with the M Keys,” Powell says.