When it comes to ensuring that users are who they say they are, there's only one idea that all security experts agree on: Passwords aren't enough.
Only 28% of the IT and security pros we surveyed who were using strong passwords considered them very effective, according to InformationWeek Analytics' 2010 Strategic Security Survey. But what to do about it? There's the rub.
Part of the problem is the number of choices. Strengthening authentication usually means adding a second factor (something you have) to an existing strong password (something you know). But what should that second factor be? Vendors are pushing everything from random-number generators to tokens to phone calls to biometric verification. What you pick depends on how foolproof you need the authentication to be--and how much you can spend.
The best way to design a secure authentication strategy is to do a comprehensive risk assessment that accounts for the sensitivity of the data, its potential exposure to unauthorized users, and any applicable regulations. Here are five questions to get you started.
1. What needs protection? Are you securing your corporate network, a sensitive database server, or a customer-facing Web site? Your risk assessment should analyze the impact that unauthorized access to those systems will have.
2. Who will be accessing the protected resource? Are they all your employees or will contractors and customers have access? Knowing the population is important.
3. Do you manage the workstations? Will users authenticate to your systems only from computers managed by your IT group? If the answer is yes, then you don't need client-side software for machine signatures or certificates. However, for customers and partners, the answer is almost always no, so you're left with options that don't require touching the computer, such as user name and password, knowledge-based authentication, and message replay.
4. Where will your users be when they access the protected resource? Are they all in the same office or scattered all over? If they're in one place, the risk is lower, but that's the unusual case.
5. What are your organization's future needs? Will you be adding new services, acquiring businesses, or hiring 1,000 new employees? It's difficult to predict future needs, but choosing authentication technologies that are standards-based and scalable is important to make sure you're prepared for what's to come.