Many banks have been increasing the security of their online services over the past year. By offering customers smartcard readers or security tokens, they have been able to roll out a second level of security.
The move highlights how businesses' faith in passwords is declining - if they are not lost, they can be stolen, and if they aren't stolen, they can be easily shared.
Two-factor authentication raises the security bar, introducing another level of authentication for system access. Generally, two-factor authentication uses something a user knows (a password or Pin) along with something they have (a security token), making impersonation more difficult.
It has been used to authenticate both employees and customers, but it has limitations. With corporate governance regulations such as Sarbanes-Oxley requiring stronger authentication as part of an overall hardening of security, more large companies are likely to investigate two-factor authentication, but small to mid-range companies have a habit of lax security practice. Passwords are regularly exchanged and written down.
Nevertheless, two-factor authentication is becoming easier to integrate, according to Imprivata, which sells a hardware appliance for authenticating users. Called Onesign, it integrates with Microsoft Active Directory.
The firm originally focused on selling single sign-on systems but found growing interest in implementing two-factor authentication.
"Recently we separated the authentication component from the single sign-on component because so many people were asking for it," said director of product management, Gregg LaRoche.
On the client side, RSA's SecurID is one of several authentication technologies available. It is the equivalent of a one-time pad, changing the user's password every 60 seconds in synchronisation with a remote server. Used mainly in an enterprise context, one of its main competitors, the Vasco Digipass, also generates one-time passwords and allows for optional Pin entry to turn it into a two-factor authentication system.
One problem with these devices is their cost, said Mike Parker, practice director for cards, security and channels at LogicaCMG. They are expensive because they must contain an internal processor to generate the passwords.
But there are other issues too. The Pin set-up and usage process for a security token can be difficult for non-technical users, as Martyn Lucking, computer services manager at Sanctuary Housing, found.
The organisation wanted a two-factor authentication system to secure remote workers accessing Citrix-based applications online. It worked with consultancy Vistorm to put security tokens in place.
"Sanctuary has managed to avoid directly connecting other company networks via virtual private networks, instead granting access to Citrix sessions only through a browser," said Lucking. But complexity was an issue.
"Getting people used to setting up their Pin for the first time was sometimes a problem. If the process was not completed successfully, the token would need to be reset. Once they had logged in, the solution was reliable."
An alternative is a smartcard (although some SecurID devices can double as smartcards). These can hold multiple secrets, including digital certificates and even photographs, which can be encrypted for added protection. The downside is that companies must deploy smartcard readers to clients, which adds to the cost.
This problem can be mitigated using a USB token with similar smartcard functionality, as long as the IT department has not turned off USB ports on client PCs to stop them being compromised by USB keys containing executable files, for example.
"What you really want to do to solve the problem is to deploy biometrics," said Parker. Biometrics on its own is not two-factor authentication, but it is strong authentication, because it requires something stronger than a password. A two-factor biometric system would require users to enter a secret. However, companies will again be faced with the problem of integrating a reader.
But how do you integrate such authentication with a Windows client and Windows devices? It is difficult for suppliers of biometric and other readers to produce a seamless process for logging onto a client and accessing system resources.
They generally have to produce their own custom application for reading the two-factor device, or in some cases rewrite the graphical identification and authentication (Gina) interface, which handles the Windows log-on process.
In an attempt to move enterprises beyond passwords, Microsoft's Vista operating system will do away with the Gina interface, replacing it with an extensible credentials system that will enable providers of third-party devices to more readily write plug-in support for their own devices into the operating system.
Microsoft hopes that this will encourage companies to create event-driven two-factor authentication, where they are prompted for their two-factor credentials when trying to access different computing resources in the company. But whether cash-strapped IT departments will rewrite corporate applications to authenticate people using the system's new credentials user interface API has yet to be seen.
One priority that companies sometimes forget when deploying two-factor authentication is the human factor. "Organisations say they have this fantastic technology to solve security problems, but they do not think about the human issues," said Ken Munro, managing director of penetration testing company SecureTest.
Generally, when technology locks down unauthorised access to resources, intruders will look to human weaknesses for a way in.
"Employees must understand why it is that the token is an important thing and should not be kept in their laptop bag," said Munro.
Even if all the employees in the company understand and remember such rules, the chances are that at some point a token will be lost. Munro said companies should consider token revocation policies.
When a token is lost outside a club at 2am on Sunday morning, is there a way of reporting that fact and having someone act on it? If the loss is only discovered at Sunday lunchtime and the Pin was with the token, can someone immediately check system access to see if an intruder has used the token to log on?
If an employee loses their token while travelling abroad and needs it to access the system urgently, is there a way of giving them access? And if there is, how can you be sure you aren't giving it to an imposter?
Things become even more complicated when trying to deploy two-factor authentication in a business-to-consumer context. It has been done successfully - a bank chip and Pin card is a form of two-factor authentication, although only for on-site access via a card reader - but using two-factor authentication for remote access is harder.
Pin/Tan (transaction number) systems were an early form of two-factor authentication for remote banking. Literally a one-time pad, a Tan is a list of numbers. Customers enter the latest one, plus their Pin, every time they conduct a new online transaction. Pin/Tan carries a low administration cost if a customer loses a Tan pad, the bank can simply send them another.
The use of secure hardware-based one-time pads, such as those from Vasco, takes security to the next level by obfuscating the pass codes. However, according to Bruce Schneier, security author and chief technical officer at Counterpane Security, keyloggers and man-in-the-middle attacks make two-factor authentication largely irrelevant in a B2C context where the client access devices are not controlled.
If the password cannot be read from the device, then attackers could simply read it from the PC, or from the connection between the PC and the bank.
"No form of authentication is a silver bullet to cure all known types of fraud," said Andrew Moloney, senior product manager in the consumer solutions division at RSA Security.
"You have to look at it in the context of layered security. We talk about transaction monitoring, and monitoring the session of the user all the way through."
Such layered security includes monitoring the IP address that a user is accessing from, along with behavioural anomalies (do they normally log in at 2am from a Lithuanian IP address?).
Certainly two-factor authentication is a step in the right direction, linking identity to access, but it has to be accompanied by a layered approach, extending into a company's technology infrastructure and employee education. As with most security tools, used in isolation its success will be limited.
This was first published in August 2006