Nontoken MethodsBy David Strom | Posted 2008-06-26 Email Print
There’s a lot to consider before you implement two-factor authentication, because it touches your enterprise infrastructure, applications and networks.
Although tokens are probably the best-known second-factor method, they can be cumbersome and costly, and may be inappropriate for remote users. “The downside to tokens involves cost and inconvenience, especially when tokens expire or are lost,” says Jim Lowder, vice president of technology at OhioHealth, a nonprofit hospital system in Columbus, Ohio, that is replacing its 4,500 tokens. “It takes considerable effort and cost to manage all these tokens.”
The nontoken methods, which appeal because they can’t be lost or broken, include both PC-dependent and PC-independent types.
PC-dependent products include those from MultiFactor, which automatically install X.509 digital certificates on your computer. These certificates have been around for years, but aren’t used often because they are hard for users to manage. MultiFactor automates the certificate management process and protects the applications that run on a particular computer. The certificates are tied to a specific PC and the specific browser version running on that PC, so if you upgrade browsers or switch from work to home computers, you need to reauthenticate and download a new certificate.
The company has modules that can plug into a Web server and use an outbound communications pathway (a text message to your cell phone, a land-line voice call or an e-mail message) to establish user identity. The certificate is installed on the PC without user intervention, and as long as the user doesn’t change browsers, no further authentication is needed. The company directly supports a variety of Microsoft applications, including Sharepoint, Outlook Web Access and .Net, but not Active Directory.
On the other hand, PC-independent methods don’t install any software on your computers—they work with the items you already have, such as your phones and voice. Positive Networks’ PhoneFactor, for example, is free for an individual user and costs $6,500 for a basic enterprisewide license for unlimited users.
PhoneFactor comes in two versions: as an agent for a Windows server, or as a software developer’s kit that can be used to enable Web-based applications. There also are special versions for Open ID, LogMeIn and other applications, which shows how easy it is to integrate this technology into a wide variety of Web-based applications. To use the system, you enter your usual user name and password into any computer, and PhoneFactor’s automated attendant calls your land line or cell phone. You answer the call and press the pound key to confirm the login. You don’t have to install any certificates or software.
OhioHealth is using PhoneFactor to complement a fingerprint scanning system from Imprivata. “For people whose fingerprints are not easily recognized—such as some ethnic groups who tend to have very fine skin—PhoneFactor is a viable alternative to provide confirmation of identity,” Lowder says.
“We facilitated the development of the system with Imprivata and McKesson, a clinical application vendor, to integrate the products into the medication ordering process,” he adds. “When physicians attempt to order medications, they are prompted through Imprivata to confirm they are the person signed in by swiping their fingerprint. In lieu of a fingerprint, they can use their cell phone or Vocera badge to confirm their identity through PhoneFactor.”
Voice Verified takes things a step further, using your voiceprint as the second factor. You read a five-digit number on the screen, and the system matches you up. The recognition software can be adjusted to allow for more or fewer exact matches, depending on security level and ease-of-use parameters. “We are a hosted solution and use open-source technologies to integrate with our services,” says Patrick Osborne, director of development and engineering.