What are you doing about two-factor authentication?
Computerworld - If you work for a financial institution or a company that processes credit card transactions, this isn’t news to you: There’s a growing push to require two-factor authentication for logging into your company’s information systems.
But if you’re in this camp, you’re probably also finding out how expensive and operationally challenging it is to require users to remember a password and also some other mechanism, such as a plastic token, to log in successfully. National attention on two-factor authentication is generating as much hype as network intrusion detection and stored data encryption did a few years ago.
Not sure which authentication approach is best for your company? Then it’s probably time to take a step back and reassess the alternatives.
What exactly are the new requirements? In January 2005, the payment-card industry issued the now-famous PCI Data Standards. Among the many PCI standards, which apply worldwide to companies that process payments using Visa, MasterCard, American Express or Discover cards, was this nugget: "Implement two-factor authentication for remote-access to the network by employees, administrators, and third parties."
Later, last October, the Federal Financial Institutions Examination Council (FFIEC) weighed in on the topic. The FFIEC, which creates the standards for federal audits of U.S. financial institutions, issued guidelines stating that "single-factor authentication, as the only control mechanism" was "inadequate" for Internet-based products and services such as online banking.
With these two mandates, what was once wishful thinking by hardened security professionals has now entered boardroom budgeting discussions across the country. But just what is two-factor authentication?
Security professionals have traditionally defined it this way: choosing something you know — usually a password — along with either something you have, such as a cardkey, or something about who you are, such as your fingerprint. The idea behind this approach is that it would be virtually impossible for a criminal to simultaneously be in possession of two of these types of authenticators.
- Combating Identity Theft in a Mobile, Social World Offering identity theft protection and remediation allows businesses to give their workforce the confidence to efficiently engage while bringing financial reward to the...
- After a Breach: Managing Identity Theft Effectively This white paper from LifeLock Business Solutions notes that FIs in addition to managing fraud should strive to turn a negative event for...
- Combating Identity Fraud in a Virtual World This slide presentation reveals findings from the Javelin Strategy & Research 2012 Identity Fraud Report about mobile and social trends, the real risks...
- API Playbook: Drive API Adoption Through Developer Engagement Learn the best practices of how to engage developers, whether your goal is to attract external developers to your public APIs or improve...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- API Management: The Key to Improving the Consumer Travel Experience Join PhoCusWright's Senior Technology Analyst, Norm Rose, as he shares his insights on how travel suppliers and intermediaries can improve industry data flow... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!