Friday, November 17, 2006

Multifactor Authentication - It's Coming Sooner Than We Think

It's hard to believe, but it's been 2 years since the Bush administration in the United States issued the Homeland Security Presidential Directive 12. The point of the directive was to enhance security through the reduction of identity fraud. One of the ways the HSPD-12 has affected information technology is by accelerating the adoption of smart cards. In fact, ActivIdentity predicts that between 50 and 100 million smart cards will be in circulation in the United Stated in as little as 10 years.

One of my colleagues just returned from training into FPA-SAFE, a program designed to help the food industry with its audit needs. He confirmed that identity security was an important part of the training materials and concerns. He even shared some humorous stories about the lack of appropriate standards for authentication in the food industry.

This occurred at the end of a meeting in which we discussed our own internal security procedures and standards. I had introduced staff to multifactor authentication, something I had been reading about in Jesper Johannsson and Steve Riley's book Protect Your Windows Network: From Perimeter To Data. The idea behind multifactor authentication is that we can enhance identity security in computer systems by utilizing 2 of 3 classes of authentication factors: something the user is, something the user has, or something the user knows. The first usually involves biometrics, the second something like a security token or smart card, and the third something like a password, pass phrase, or PIN. By using 2 of the 3 factors, we can dramatically improve the security of our systems while making life easier for our users.

Normally, I would have thought that multifactor authentication was simply too advanced and too rich for smaller companies like ours. But international standards organization and compliance regulations are spurring growth of the technology, reducing price points and increasing the likelihood that small- and medium-sized businesses will see the business benefits of the technology.

No comments: