Problem solve Get help with specific problems with your technologies, process and projects.

The drawbacks of two-factor authentication

Despite the hype surrounding two-factor authentication, it's not the end-all, be-all of access management solutions. This tip helps value-added resellers (VARs) and systems integrators put the technology in perspective for their customers.

Despite the hype surrounding two-factor authentication, it's not the end-all, be-all of access management solutions. This tip, reposted courtesy of, helps value-added resellers (VARs) and systems integrators put the technology in perspective for their customers.

Two-Factor Authentication Crash Course
Visit our Two-Factor Authentication Crash Course designed specifically for VARs and systems integrators to learn more about the FFIEC's mandate and the limitations of two-factor authentication.

Much buzz has circulated lately about two-factor authentication, the technology that allegedly provides better security than just relying on a single factor such as a password or an ID card alone. Two-factor authentication uses multiple elements, physical and otherwise, to confirm someone's identity -- an ID card and a PIN number/password, for instance, or a PIN number and a retinal scan.

Two-factor authentication products already exist in quantity for Windows and are usually well-integrated into its existing security infrastructures; Active Directory itself is based on a security protocol (Kerberos) that two-factor authentication can build on. While there's no shortage of two-factor security products out there, the problems that can arise from using them need to be looked into thoroughly before your customer drops the money on them.

Breaking the bank

The first and most obvious issue associated with setting up a two-factor authentication solution is the cost. Cost doesn't just mean buying the software and hardware, but the expense of maintenance as well. It includes training people to use and enforce the system, an often-overlooked cost.

Likewise, many two-factor authentication solutions have a regular maintenance cost. For example, the RSA SecurID system uses a keychain device that regularly generates one-time ciphers to be used by the owner. The devices are designed only to last a finite amount of time (a couple of years, usually), which helps keep them tamper-proof -- but they are also a convenient revenue generator for RSA, since your customer will be shelling out cash on a fairly regular basis for replacement tags.

Pardon the inconvenience

A two-factor system also has to take into account the fact -- not the possibility, but the fact -- that the system will at some point break. People lose their keys and smart cards -- or accidentally ruin them in unprecedented ways: One of the people I discussed this piece with ran his smart card through the wash, which destroyed it about as thoroughly as a stint in the microwave.

The problem isn't just the costs incurred for replacing such things, although that's a given. There is also the problem of what security experts call "graceful failure." If a user loses a smart card or key token, is there a way to allow them safely into the building without simply trusting them and waving them through? This could be a pool of tags or smart cards set aside for such incidents (kept under lock and key, of course) or a similar system that minimizes the consequences of lost work time and security breaches.

Choose wisely

The exact two-factor authentication system your customer uses is going to be dictated by their budget and needs, but try to go with a system that is as broadly documented and as non-proprietary as possible. RSA Security Inc. is the company that gets most of the attention, but another company, CRYPTOCard Inc., has a system that security workers themselves widely tout for its ease of use and openness.

CRYPTOCard is cross platform (Win/Lin/Mac) and sports tight integration with the directory technologies for all those platforms. It has a number of features that make it work in the real world: built-in redundancies, so there is no single point of failure, graceful migration from older RSA technologies, and a well-documented set of cryptography standards that are not likely to be attacked all that easily.

The company sells a five-user starter kit, in various implementations (USB token, smart card, etc.), for about U.S.$500, so it's relatively easy to figure out if CRYPTOCard's solution is a good fit for your customer.

It's worthy to note the plans for two-factor authentication that will be natively available for Windows, but never take the plans as dogma. Microsoft originally proposed building native support for RSA's SecurID into Windows Vista but eventually shelved the idea when it decided to slim down and refocus Vista's feature set. It will be possible to add support for SecurID as an after-the-fact add-on, and native support may eventually be provided in the form of a service pack upgrade to Vista. One of the biggest new features in the 3.0 revision of the .NET Framework is a standard model for user identities -- Windows CardSpace -- that (among many other things) incorporates two-factor authentication, which programmers and third-party vendors are already gearing up to make use of.

Delusions of safety

The single biggest issue with two-factor authorization, or any security method, is whether it can be bypassed in ways that have nothing to do with the system itself. The biggest security hazards in any organization are people who can be "spoofed" -- i.e., the folks standing guard, who hold the keys to the kingdom, and turn them over all too willingly to con artists and criminals who use low-tech social-engineering tricks.

Two-factor authentication can even aggravate these problems. If you use, for instance, an RSA one-time code system as part of your security measures, and the people in charge of the system aren't trained to deal properly with ruses (such as a harried worker who says, "My key's in the office, can you just let me in a sec?") -- then the two-factor system itself isn't broken -- it's negated entirely.

The same goes for whenever biometric tools -- fingerprint scanners, iris readers, etc. -- are added to the mix. Biometrics are not magic solutions. Only the people monitoring them or the infrastructure in which they're placed make them secure. Most of the benefits they provide are matters of convenience and not true security: It's easier to provide a thumbprint than a PIN number, but a person can fake a thumbprint without much difficulty, and someone with a hand in a cast who looks familiar will often be waved through without a second thought.

In short, if you use all these tools to defend a system that has unencrypted data ready for the taking or that can be accessed by nothing more than low-tech social-engineering skills, the security your customer gains will be illusory. The best way to think about two-factor authentication is to think of it as three-factor authentication -- the third factor being a trained, aware and not-easily-compromised base of personnel.

About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on

Dig Deeper on Identity and access management (IAM) security services