Skip the navigation

What are you doing about two-factor authentication?

July 6, 2006 12:00 PM ET

Computerworld - If you work for a financial institution or a company that processes credit card transactions, this isn’t news to you: There’s a growing push to require two-factor authentication for logging into your company’s information systems.

But if you’re in this camp, you’re probably also finding out how expensive and operationally challenging it is to require users to remember a password and also some other mechanism, such as a plastic token, to log in successfully. National attention on two-factor authentication is generating as much hype as network intrusion detection and stored data encryption did a few years ago.

Not sure which authentication approach is best for your company? Then it’s probably time to take a step back and reassess the alternatives.

What exactly are the new requirements? In January 2005, the payment-card industry issued the now-famous PCI Data Standards. Among the many PCI standards, which apply worldwide to companies that process payments using Visa, MasterCard, American Express or Discover cards, was this nugget: "Implement two-factor authentication for remote-access to the network by employees, administrators, and third parties."

Later, last October, the Federal Financial Institutions Examination Council (FFIEC) weighed in on the topic. The FFIEC, which creates the standards for federal audits of U.S. financial institutions, issued guidelines stating that "single-factor authentication, as the only control mechanism" was "inadequate" for Internet-based products and services such as online banking.

With these two mandates, what was once wishful thinking by hardened security professionals has now entered boardroom budgeting discussions across the country. But just what is two-factor authentication?

Security professionals have traditionally defined it this way: choosing something you know — usually a password — along with either something you have, such as a cardkey, or something about who you are, such as your fingerprint. The idea behind this approach is that it would be virtually impossible for a criminal to simultaneously be in possession of two of these types of authenticators.

Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!