There was a time when strong multifactor authentication was expensive and hard to deploy. Those days appear to be far behind us, at least judging from the crop of tools we looked at this month in the SC Lab.
There are levels of user interaction with the enterprise. Some are casual users, some are customers accessing accounts where money or personally identifiable information (PII) resides. Some are privileged users, such as system administrators. There are aspects of each of these user communities that help define the appropriate level of authentication.
Conventional wisdom - although today we might question how much wisdom there actually is - is that if you have a large community of users, stick to passwords because they are free and multifactor costs money. If you Google "password breach" plus "statistics," the first page that comes up lists LinkedIn, Twitter, Yahoo and Dropbox. Dig a bit deeper and you will find half a dozen more big names and concomitant, big password breaches. All of these were in the hundreds of thousands to the low millions of passwords lost. These are not just employees. These are customers falling prey to the "let's save a buck and let them use passwords" syndrome.
This is in spite of studies that have shown that most people reuse passwords on multiple accounts and pick very weak passwords to begin with. Taking this approach does a couple of things that can potentially hurt the company seriously. First, no matter how secure the customer interface to the rest of the enterprise is, by allowing weak authentication, you have just stripped away the first layer of your defense-in-depth. Second, since people tend to reuse passwords, you have, arguably, opened up a lot of other organizations to compromise because if the attacker gets in and gets your clear-text password files, the intruder probably now has the keys to lots of kingdoms.
Clear-text passwords? Nobody does that. Wrong, wrong, wrong! There are many organizations - some very large - that keep all passwords in clear text. There goes the second layer of protection. But let's assume for a moment that the attacker doesn't really care about harvesting the 650,000 clear-text passwords you are storing. This hacker is more interested in those credit card numbers you are holding. Or maybe they just want to get in and drop a rotten egg (trojan horse or rootkit) in your system and leave. The trojan will roam around your network harvesting whatever it is created to harvest, and then will send the data home to the hacker. All of this chaos because of a weak password.
Now, let's up the ante a bit. Suppose that person with the simplistic password was an employee. In fact, it doesn't even need to be too simplistic given the password-cracking tools available today. If that employee is a privileged user, you may be in for a really ugly surprise. So, even if you don't want to foot the bill for your hundreds of thousands of customers, you should at least pony up for your own remote users, especially the privileged ones, such as system administrators.
That brings us to this month's group, which deals, predictably, with authentication - strong authentication - tools. Some of these are simple solutions to the tough problem of strong authentication. Some are a bit more pricey and a bit more complicated. But all of them have good application in the various ways you can protect your valuable data. A few are biometric, and you will note that the cost of biometrics has started to come way down.
When it is shown in several research reports that the most popular password is "123456," we can pretty much take it as a given that the age of strong authentication is upon us. When the cost of strong authentication meets the risks from the types of architectures that we are seeing increasingly, we can justify spending a little more to keep our information safe. A serious breach because of careless authentication policy could cost a whale of a lot more than the strong authentication would have. You'll see that and a lot more in this month's reviews. Enjoy!
