Tuesday, June 30, 2015

Blueprint: Two-factor Authentication Signals the Death of the Password and Physical Token

by Andy Kemshall, Co-founder and CTO of SecurEnvoy

Considering the frequency and severity of data breaches today, we have reached a point of Cybercrime 2.0.  This requires an approach of Security 2.0. The challenge of protecting company data and systems is a continually evolving IT infrastructure.   Companies need enhanced authentication solutions that allow them to protect access to the data and resources critical for operations remotely. With that, the case for multi-factor authentication becomes stronger.

According to the Ponemon “2015 Cost of Data Breach Study: Global Analysis,” the average total cost of a data breach increased from $3.52 to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study1.

Once only considered for high-end companies (e.g., banks), today companies large and small in the government, healthcare, energy, financial services, insurance, manufacturing, marketing, retail, telecommunications, charity, legal and construction sectors are turning to two-factor authentication (2FA) for their internal security needs.  Although the evolution is slow, a change in attitude is taking place due to the growing concern what a breach can result in including: company downtime, lawsuits, lost business and a damaged reputation. This is motivating executives to pay closer attention to their company’s security.

Within a work environment, most companies utilize standard security measures.  This is with either a simple username and password or a physical token to enable employees to access important data and applications.

The Password

Over the years, we’ve trusted the password.  We trust its ability to keep our companies safe from thieves and those who would do us harm. Passwords met an impasse five years ago, and today they need to have 12 characters or you need to write them down in order to keep track of them.  Moore’s law tells us that every two years computing power doubles – meaning every two years the amount of time it takes to crack a password using a brute force attack is cut in half. It’s now reached the point where a password can be cracked in minutes, sometimes seconds. The antidote: 2FA.  This incorporates something you know, such as a password or PIN, something you are, such as a fingerprint or retinal scan, and something you own, which can either be a physical token or a soft token on a device you use every day, such as a mobile phone. The idea behind 2FA is to bring two of these separate methods together for a stronger level of security, should one of the methods become compromised.

The Physical Token

Companies employing the traditional physical token are likely to experience the following downsides to this approach including: contractors and employees can misplace them, overloading the IT department in replacements; physical tokens do not scale well, can be expensive, deployment of a newer version can take a while (three months to a year) and are less secure than 2FA.

These are non-issues when considering 2FA with a mobile device approach as it is extremely simple to deploy, easy-to-use and adoption with employees is quick. There are seven billion GSM devices in the world and people are very attached to their mobile devices.  Also, if employees want to upgrade their mobile device, the user self-enrolls their new device rendering the old one safe for disposal.

Lastly, the costs of tokens versus a mobile 2FA approach.  The life of a token is three to five years and to replace all of them in a medium or large-sized company can cost hundreds of thousands of dollars, plus it can take three to twelve months to completely roll out.  This holds companies back in terms of productivity.  A mobile 2FA approach simply leverages devices employees already have with them, saving companies money and time to change over new systems.

Implementation of 2FA

If a company wishes to implement a mobile 2FA approach for its network architecture, networking insiders can choose to deploy this in three different ways: on-premise, through managed service provisioning (MSP) or via the cloud.

On-premise allows direct integration within your own network. This unique approach seamlessly dovetails an existing infrastructure. A major benefit of this is that user data resides within the company and leverages existing replication infrastructure such as Active Directory.

Some solutions providers have a partner network for MSP deployment. Utilizing a dedicated MSP partner allows greater choice of integration to suit your network. This approach also allows a security vendor to take over the overall operation and day-to-day administration of your tokenless two-factor authentication system. Reducing the burden of one’s resources, this approach makes it easy for the vendor to provide 2FA solutions for the cloud, integrating into the login seamlessly into your environment.

Although on-premise is the most ideal approach, cloud should be considered if there is a different setup, for SMBs and for companies with several servers and several locations.  Although a lot of companies turn to the cloud as a solution, when it comes to security, there are drawbacks.  These include:

  • Needing constant synchronization with the information people have any time it changes;
  • A cloud environment can be ceased by any government; and
  • The cloud environment cloud stores the seed records (with sensitive information and passwords), which can be hacked.

An additional advantage of on-premise approach is that the seed records are under the control of your company security as security providers like SecurEnvoy do not hold any seed records.

In conclusion, two-factor authentication via mobile devices is evolving into an ideal method that should be considered today to authenticate the end user. It is stronger, the adoptability is easy - as the end-user can pick what mobile device they can use (and in some cases, how they can receive a passcode via SMS, email or voice), it is simple to deploy and overall, it costs less.

About the Author

Andy Kemshall, Co-Founder and CTO at SecurEnvoy is one of the leading European experts in two-factor authentication. As the co-founder and CTO of SecurEnvoy, he brings nearly 20 years of IT security authentication experience to SecurEnvoy. Andy is the inventor of both SMS and secure mail recipient -based two-factor authentication, and more recently NFC based one-swipe authentication. Prior to his role at SecurEnvoy, Andy was one of the original customer-facing technical experts at RSA Europe.  While at RSA, he served as the Sales Engineering Manager where he managed high-level customer relationships, developed the product and advised RSA HQ on new and emerging technologies from Europe.

About SecurEnvoy

SecurEnvoy (www.securenvoy.com) is the trusted global leader of mobile phone-based Tokenless® two-factor authentication. Its innovative approach to the multi-factor authentication market now sees millions of users benefitting from its solutions all over the world. Controlling endpoints located across five continents, SecurEnvoy design innovative two-step verification solutions that leverage both the device the user carries with them and their existing infrastructure. The solutions are the fastest to deploy and the most secure in the industry. With no hardware or deployment issues, the ROI is dramatically reduced and easily managed.

Ponemon’s 2015 Cost of Data Breach Study: Global Analysis 

Got an idea for a Blueprint column?  We welcome your ideas on next gen network architecture.
See our guidelines.