In January 2005, the payment card industry issued the PCI data security standard, which included this nugget: "Implement two-factor authentication for remote access to the network by employees, administrators and third parties." Last October, the Federal Financial Institutions Examination Council, which creates the standards for federal audits of U.S. financial institutions, issued guidelines stating that single-factor authentication was "inadequate" for Internet-based products and services such as online banking.
In the wake of these mandates, financial institutions are also finding out how expensive and operationally challenging it is to require users to remember a password and also possess some other mechanism, such as a plastic token, to log in. But in any event, it's probably time to take a step back and re-assess the alternatives.
Security professionals have traditionally defined two-factor authentication this way: using something you know -- usually a password -- along with either something you have, such as a card key, or something about who you are, such as your fingerprint. The idea behind this approach is that it would be virtually impossible for a criminal to simultaneously be in possession of two of these types of authenticators.
This is where theory runs up against some hard reality. Password management already chews up huge amounts of IT resources, with password resets accounting for roughly a third of help desk inquiries in many companies.
Add to this the prospect of implementing new hardware and software on employee laptops to handle card-key swipes or fingerprint scans, or requiring customers to always carry another card or token on their key chains, and suddenly you're facing an enormous financial and operational undertaking.
Companies could decide to greatly reduce the number of employees with remote access to the network. They could restrict most employees to remotely access only their e-mail through a Web application. It simply may be too expensive to grant remote network access as a default privilege. But employees not being able to get to their files on the network may result in lost productivity.
Banks could start charging customers to use online banking to pay for the increased administrative costs of two-factor authentication. Customers would probably welcome this as much as they did the chance to pay ATM fees. The result could be fewer online banking customers.
Some privacy and security leaders say it's time to take another look at the situation. They're asking two main questions:
-- What risks are we actually trying to mitigate with these new regulations?
-- Are there other ways, besides traditional two-factor authentication, to combat these risks?
The standard answer to the first question has been simple: Weak passwords can be cracked with free software available on the Internet; can often be discovered inside files stored on the network, on people's laptops or on sticky notes left inside desk drawers; and can be solicited through social engineering and phishing e-mails.
These are serious risks that could expose a company to a publicized security breach notification, which often turns out to be a multimillion-dollar affair. But are there other sufficiently effective and cheaper ways to compensate for weak passwords?
My counterparts point to a few possibilities:
Challenge questions. Who says you always need to choose from two of the three categories of what you know, what you have and who you are? Why not choose two authenticators based on what you know? If you can choose the right set of challenge questions -- such as "What high school did you graduate from?" or "What is your favorite pet's name?" -- you can counter some of the weaknesses common to passwords.
Photo "passwords." This is another variant of a second "what you know" authenticator. In this method, you choose a photo -- either of yourself or something memorable from a gallery - that will be associated with your account. Each time you log in, you face a random selection of photos that will always include the one you originally designated, which you must choose correctly.
"Bingo" cards. A form of "what you have," they're wallet-size grids resembling bingo cards that you receive when you set up your account. When you log in, the system will randomly generate coordinates. The cell at that coordinate will have a PIN that you enter.
Fraud detection. Instead of adding a second authenticator, it may be more cost-effective to strengthen your fraud-detection measures, looking for anomalies based on IP address, geographic location or other behavior inconsistent with the user's past patterns.
Security professionals will differ on which authenticators they think are right for their organizations. But they'll all agree on one point: It's bad for business and bad for the economy to mandate a one-size-fits-all solution. Continued flexibility is the right way to address this complex risk.
Jay Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at cwprivacy@computerworld.com.