Tactical Advice

How to Deploy Two-Factor Authentication

Take these five steps to ease the rollout while strengthening security.
How to Deploy Two-Factor Authentication
Credit: iStockphoto/Thinkstock

Passwords have been crumbling for a long time because they’re easy to steal or share, yet difficult to remember. To improve security, leading organizations are deploying two-factor authentication. This technique combines a password with something else the user has, such as a token, smart card or a biometric identifier.

Moving to two-factor authentication has its stumbling blocks, however. Consider the following measures to ease the move.

1. Select a Factor That Fits the Organization.

Count tokens (both hardware and software), smart cards, and multichannel products such as SMS-based passwords to smartphones among the options. There’s no right answer, but considering a few questions about organizational IT will show the best path. For example, mobile devices such as smartphones are not generally compatible with smart cards. For some organizations, that’s a plus, as they’d prefer to allow only notebooks they issue to connect to the network. For others, that’s a deal breaker. Some organizations that are geographically centralized will appreciate physical tokens, while others that have workers constantly on the move may wish to use software or other systems.

2. Consider Tokens as the Starting Point.

Tokens are the technology that every other authentication method needs to beat. They are the most mature and common technology in two-factor authentication, but have their own drawbacks, such as high startup and maintenance costs associated with distributing and replacing tokens. Manufacturers have devised a variety of workarounds, such as virtual tokens that trade off some security for increased convenience.

When considering alternatives to tokens, be careful to separate competitive myth and fiction from reality. There’s considerable disinformation in marketing literature, both among token makers and in competitive two-factor technologies.

3. Conduct a Phased Migration.

Big-bang cutovers don’t make anyone happy. Application and system managers will find it easier to migrate everyone at once, but that just creates a nightmare for end users and help desk staffs.

Choose a technology and deployment strategy to move one user at a time, then slowly disseminate the technology to the people who need it the most. Unless it’s a small organization with only 25 users, migrating everyone at once is guaranteed to be an expensive, high-risk effort. The same is true of applications — critical ones should move to two-factor authentication early, but there’s no reason to migrate legacy apps if the risk is low.

4. Staff Up the Help Desk.

Getting a back-end authentication server set up takes awhile, and then testing it against applications takes a little longer. That’s only one percent of the effort in a two-factor rollout. Self-service, abundant training and a well-staffed help desk are good insurance against failure, particularly during periods of heavy migration.

Users need to be informed and empowered. Because two-factor authentication is harder than just typing a password, everyone might complain a bit. Offer end users tools, such as token reset web pages. That may require collecting password reset questions or wiring a web application, but it’s worth the effort. One benefit of the consumerization of IT is that people are accustomed to doing things themselves. Playing to these new habits eases the pain on all fronts.

5. Don’t Sweat the Settings.

Risk reduction is the goal. Many token products have very secure default settings that are not forgiving of error or an initial learning curve. Dialing back some of these settings, such as maximum failed attempts or lockout periods, won’t ruin system security. Two-factor authentication is so far ahead of static passwords in risk reduction that there’s room for some slack without affecting the result. These settings can gradually be tightened if necessary once the deployment phase is over.

Sign up for our e-newsletter

About the Author

Joel Snyder

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.