Problem solve Get help with specific problems with your technologies, process and projects.

Two-factor authentication for SMB customers

Learn about two-factor authentication solutions that make financial sense and can be managed easily by small and medium-sized businesses (SMBs) in this tip. Understand what the FFIEC guidelines mean for SMBs, and approach your SMB customers with a variety of viable options.

Learn about two-factor authentication solutions that make financial sense and can be managed easily by small and medium-sized businesses (SMBs) in this tip, courtesy of Understand what the FFIEC guidelines mean for SMBs, and approach your SMB customers with a variety of viable options.

To a small and medium-sized business (SMBs), setting up a two-factor authentication system can be scary. There's extra hardware to buy and the maintenance could be a nightmare. It's enough to stop an SMB with a limited budget and no dedicated information security staff from even considering implementation of two-factor authentication.

But there are affordable tools in the market that even a cash-strapped SMB can handle. These tools require little maintenance and overhead and can be managed easily by your existing IT staff, no matter how small. Two-factor authentication has even become an item that can be outsourced, saving the cost of investing in expensive infrastructure.

Before going the two-factor route, there are two things the SMB needs to understand: exactly what two-factor authentication is, and what the risks it's trying to protect against are.

What is two-factor authentication?

Two-factor authentication provides a multilayered defense, or a defense in depth. If one factor is breached, the other factor, hopefully, will block a malicious user from accessing the system.

There are three factors in authentication: something you know, something you have and something you are. An example of something you know is a user ID and password. Something you have could be a one-time password (OTP) token, a smart card or a similar device that stores authentication credentials. Something you are is a physical characteristic. These devices are called biometrics and can read fingerprints, facial or voice patterns, or some other measurable body characteristic, such as an iris pattern.

Two-factor authentication is two of these factors together in a single authentication system. For example, a user would enter a user ID and password onto a Web site, and then would be asked for the value from an OTP token.

Determining the risks

Next, do a thorough risk analysis of what the system is supposed to protect. This must be done before even considering implementing two-factor authentication. If the risk of data loss is low, or the data isn't valuable, then a two-factor setup might be overkill. Risk analysis involves first creating a data classification standard. This should be part of every SMB's information security policy and should, at the least, have a minimum of three levels of risk: low, medium and high. Classification defines which data fits into which category.

Publicly available information, such as marketing brochures and advertisements, would be low risk. Data about company plans and processes might be medium risk -- loss of such information could put the company at a competitive disadvantage but maybe not out of business. Customer information, including Social Security numbers or account numbers, is high risk. The loss of customer data could lead to identity theft and, as a result, lawsuits or other liabilities against the company.

After classifying your data, determine the purpose of the authentication system. Is it to protect against real breaches that have occurred in the past or others that might be expected in the future? Is it for meeting compliance requirements like those of the Federal Financial Institutions Examination Council (FFIEC) for two-factor authentication for banking Web sites? Is it for protecting financial transactions on a Web site, or for remote access for your traveling users who might be logging in from their laptops at an airport or hotel?

The FFIEC guidelines have a broader interpretation of two-factor authentication that includes fraud-monitoring systems, which operate on the back end and are invisible to the user. These aren't true two-factor systems, since they don't use a token or device but provide the same protection. For protecting remote access, a more traditional approach using a device or a smart card might be in order.

Buying decisions

Here are some well-known products in the market that SMBs might consider for implementing two-factor authentication:

  • The eToken from Aladdin Knowledge Systems Ltd. is a USB device that connects to a workstation or laptop. The eToken combines both a smart card and an OTP on one device. It differs from the traditional OTP tokens, like those from RSA Security Inc. and Vasco, in that it's more flexible. The RSA SecureID is only an OTP token, while the eToken can be configured to work with more than 150 applications from Aladdin partners. Its battery can also be replaced, giving it a longer life -- unlike a self-enclosed OTP token, which expires when its battery runs out.

    As a smart card, the eToken can hold a digital certificate and integrate into a public key infrastructure system. The device can be managed centrally with the Aladdin Token Management System.

  • CRYPTOCard is a smart card that bills itself as an event-driven rather than time-driven OTP. Traditional OTPs generate a new PIN after a fixed interval, say, every 30 to 60 seconds. The CRYPTOCard shares an encryption key with a server the user installs in-house. The card generates a fresh PIN every time it's inserted into a reader connected to the CRYPTO-Server. Every time the user successfully logs in, the card is already reset to generate the new PIN for the next login. Also, like the eToken, CRYPTOCard has a replaceable battery.

  • CRYPTOCard has another product, CRYPTO-MAS, which provides two-factor authentication as a managed service. This is an attractive approach for an SMB, since it requires no infrastructure, hardware or software installation by the user. The token generates a PIN through its Managed Authentication Service (the MAS in CRYPTO-MAS) for a monthly fee. Since there isn't anything for the user to install or maintain, the user doesn't have to provide staff or technical support -- another plus for thinly staffed SMBs -- and users and tokens can be added or deleted easily through the service.

  • An even cheaper low-tech solution is IdentityGuard from Entrust Inc. in Addison, Texas. This involves a wallet-sized card that looks like a bingo card. It has a grid with a randomly generated series of numbers. When the user logs on with their user ID and password, they're also prompted for a coordinate on the grid. The user then enters the number at that coordinate on the card. The cards are all distinct and each has thousands of combinations of numbers.

    Between flexible token alternatives, managed authentication services and low-cost cards and devices, SMBs have a variety of options for implementing two-factor authentication.

    About the author
    Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of
    The Little Black Book of Computer Security, available from He is also the author of the IT Security Guy blog at

    This tip originally appeared on

Dig Deeper on Identity and access management (IAM) security services