Definition: Strong authentication prevents unauthorized access to corporate systems by requiring users to identify
themselves in two ways: by means of something they know, such as a PIN or password; and something they possess, such as a smart card or token that provides one-use, time-specific passwords. Single-sign on allows users to use a single password to gain access to all applications and services for which they are authorized.
Small and medium-sized businesses (SMBs) are affected by many of the same factors that are motivating enterprises to embrace stronger authentication: the need to secure virtual private network (VPN) connections that give remote sites, road warriors and business partners access to sensitive corporate information; increasingly stringent government security regulations; and the proliferation of internal and external security threats.
Last October, the Federal Financial Institutions Examination Council (FFIEC) issued new guidelines for online banking, which stated that single-factor authentication alone is not sufficient "for high-risk transactions involving access to customer information or the movement of funds to other parties."
Ordinary passwords are extremely vulnerable, according to Karen Devine, director of product marketing at RSA Security Inc. in Bedford, Mass. Many can be hacked in a few minutes. Employees are all too apt to write them down and stick them in an easy "hiding place" like under the keyboard -- particularly when, as is often the case, they have to remember a lot of different passwords.
Two-tier authentication prevents unauthorized users from gaining access to corporate data or systems just by stealing someone's password. Single sign-on eliminates the need for end users to keep track of a different password for each application and system.
"You can trust people to manage passwords, and change them every 30 days, if they only need one password for all systems," said Jonathan Penn, a principal analyst at Forrester Research Inc. in Cambridge, Mass. "They are also less likely to write a single password down than if they have 26 of them, some of which they rarely use."
SMBs are seeing more products and services geared to their needs. RSA offers an appliance version of its SecurID strong authentication product for SMBs. Lexington, Mass.-based Imprivata Inc. recently introduced its OneSign Enterprise Network Authentication appliance, which ships with built-in support for Vasco Data Security International Inc.'s Digipass two-factor authentication. VeriSign Inc. and CryptoCard Inc. are among the vendors that now offer managed authentication services.
Leading authentication vendors are working with partners to build two-tier authentication into leading Secure Sockets Layer VPN systems, Windows and applications such as Notes and Exchange. For example, an employee logging into a VPN network or a Windows 2003 server automatically sees a screen that asks for a PIN and token code.
Newer types of second-tier authentication, such as biometrics that identify a user by fingerprint, provide stronger security without the need to deploy physical devices to users.
- One-time tokens that interface with a computer's Universal Serial Bus port cost between $10 and $20 per user, depending on volume, according to Forrester.
- RSA SecurID Appliance 2.0 is available in preconfigured bundles ranging from $4,000 for 10 users up to $34,000 for a 250-user bundle.
- Passlogix Inc.'s V-GO Single Sign On is priced at approximately $70 per user.
- Imprivata's OneSign ENA apppliance, geared to midrange companies, is priced at $75 per user for a thousand-user license, and includes Digipass tokens.
Tips and gotchas
When calculating the cost of two-factor security, don't forget administrative overhead, advises Forrester's Penn. "You have to requisition the tokens, deliver and provision them." This can be time-consuming, particularly for a large number of remote sites. Inevitably, too, tokens are going to get lost, left at home, or dropped in a puddle or a coffee cup. "You need to take those costs into consideration, as well as the cost of the hardware itself," Penn said.
Before you deploy single-sign on, make sure you have enough applications to make it worthwhile, RSA's Devine advises. "If you have managed services and only one password, or streamlined access through a portal, it isn't worth doing." Technical decision makers should assess not only the number of applications, but also how secure they need to be, and how many user groups and types of users interact with them.
Companies have justified single sign-on with as few as five applications, Devine reports. "You have to establish a pain point: How many passwords is a typical user able to remember without having to write them down?"
- Strong authentication:
Expert viewpoint: Jonathan Penn, principal analyst, Forrester Research
"There's a good case to be made for exploring more novel methods of two-tier authentication, which don't require distributing physical assets such as tokens. For example, biometric systems that authenticate using fingerprints.
"Tokens are most widely used for remote authentication. Within the enterprise we mostly see smart cards, which also provide secured access to physical facilities. Biometrics are used a lot in health care, especially for doctors and nurses and technicians that have to log onto different machines multiple times a day, and who measure productivity in seconds.
"During the initial setup phase you need to look at which systems need a greater degree of authentication. Not all systems, applications or users need two-tiered sign-on. The best place to implement is the first level of network access: logging into Windows. This provides the greatest degree of integration. Beyond that, use single sign-on." Elisabeth Horwitt is a contributing writer based in Waban, Mass.