Is it Time for Two-Factor Authentication?

10 Jun

securID.jpgThe recent security breach at Citibank, coupled with even RSA hiring what may be its first Chief Security Officer Edward Schwartz, point out that you can never be too paranoid about your personal and corporate data security. RSA was in the news earlier this year for an attach on its SecurID two-factor tokens, something that had been considered the ultimate in enterprise security.

It might be time to take another look at two-factor authentication, and see if it makes sense to implement this in your organization. Here are three basic steps to get started:


First, take a look at what Google and Facebook have done with adding two-factor authentication to their accounts. Both use somewhat similar systems, tying your account to your cell phone and sending you a text message that you have to enter as part of your login process. Google adopted two-factor authentication last fall and Facebook added two-factor to their accounts in May. And eBay/PayPal have had two-factor authentication for several years on its accounts, too. While these are all personal solutions, they help gain experience in using these two-factor solutions and give you some perspective before you want to implement these corporate-wide.

Second, look at adding two-factor security to two of your most common entry points: email and VPN access. Both will mean some end-user training and will require some effort to implement, but there are a wide variety of solutions.

In addition to RSA, there are several other two-factor authentication token vendors, some that use texting to phones and some that offer their own hardware or software-based tokens.

  • PhoneFactor has a similar system to Google and Facebook, texting codes to your cell phone. They can secure a wide variety of systems, including VPNs, Outlook Web Access and others, and offer a free version for up to 25 users. For larger populations, they also will credit you $15 per each RSA SecurID token towards any new deployment.
  • Digital Persona offers both SMB and enterprise versions of their software that can use a wide variety of tokens and methods for two-factor authentication, set up whole disk encryption, and other security measures. They also offer a free trial. Here is an example of their administrative console.
    digital persona console.jpg

  • Symantec/Verisign offers a variety of user authentication solutions here, including tokens similar to SecurID.They have a free 30-day trial as well as a free credential you can download to your smartphone. And they also will rebate $5 for every RSA token or credential replaced with their VIP Authentication Service until September 30, 2011.
  • Yubico's Yubikey offers USB-key tokens starting at $25, along with keys that come with the Verisign credentials built-in.
  • SecureAuth Identity Enforcement Program has a similar product to SecurID and offers a quick start promotion running until September for $10 per user per year.
  • VMware's Horizon App Manager has taken software from its Tricipher acquisition and is using two-factor authentication to secure cloud-based apps.
  • Finally, if you still need convincing, re-read our story that covers some options from Forrester Research here. If you haven't yet started on any of these strategies, pick one and get going. Any action is better than nothing.