authentication best practices for 2013

8/14/2019 Authentication Best Practices for 2013

1/14

Authent

PracticeProven tactics, tip

authentication

cation Bes

for 2013and best practices for e

nterprise


2/14

Page 1 of 14

Contents

Cloud Identity

Management as a

Service: Not quite

ready for prime time

Intro to two-factor

authentication in Web

authentication

scenarios

Two-factor

authentication

options, use cases and

best practices

Industry experts Jonathan Hassel and Ajay Kumartake a deep dive into the murky waters of identitymanagement and authentication to explorewhether the newest kid on the block, cloud identitymanagement, is ready for prime time, and also

provide a comprehensive introduction and bestpractices for two-factor authentication.

Cloud Identity Management as a Service: Not quite ready for prime time

Cloud Identity Management as a Service: Not quite readyfor prime timeJonathan Hassell

As the cloud becomes more vital for CIOs, there exists another problem -- or,

shall we say, a challenge -- that needs to be addressed: cloud identity

management. How can we verify that users are who they say they are, how

do we authorize them to use services, and how can we account for their

activities once they've been authenticated and authorized?

Dealing with identity on-premises is difficult enough. You have generally

disparate systems. Years ago, the big push was to enable your host

integration service to talk to Novell Directory Services, while your accounting

or payroll system utilized NDS as well. Such integration makes user

provisioning simple when employees come and go. It also makes security

policy application more consistent and enables complete control over

monitoring and auditing controls. The integration was made possible with

protocols like Lightweight Directory Access Protocol and the use of central

directory services likeActive Directory. Those protocols and serious

investments each made more efficient use of centralized user information in

the private data center.

Get ready to reinvent the wheel when it comes to the movement to cloud-

based computing.Cloud identity management presents an entirely new set of

challenges. Why? There are a couple of reasons. First, different providers
http://searchcio.techtarget.com/tip/Cloud-computing-identity-management-standards-could-push-cloud-usehttp://searchcio.techtarget.com/tip/Cloud-computing-identity-management-standards-could-push-cloud-usehttp://searchmobilecomputing.techtarget.com/definition/LDAPhttp://searchwindowsserver.techtarget.com/definition/Active-Directoryhttp://searchcio-midmarket.techtarget.com/tip/Midmarket-CIOs-lead-the-charge-with-cloud-based-computinghttp://searchcio-midmarket.techtarget.com/tip/Midmarket-CIOs-lead-the-charge-with-cloud-based-computinghttp://searchcio-midmarket.techtarget.com/tip/Midmarket-CIOs-lead-the-charge-with-cloud-based-computinghttp://searchcio-midmarket.techtarget.com/tip/Midmarket-CIOs-lead-the-charge-with-cloud-based-computinghttp://searchwindowsserver.techtarget.com/definition/Active-Directoryhttp://searchmobilecomputing.techtarget.com/definition/LDAPhttp://searchcio.techtarget.com/tip/Cloud-computing-identity-management-standards-could-push-cloud-usehttp://searchcio.techtarget.com/tip/Cloud-computing-identity-management-standards-could-push-cloud-use


3/14

Page 2 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

have different internal systems. Imagine that you're considering purchasing acloud-based CRM solution. If you've already migrated your email and

calendaring groupware solution to a cloud provider, how do you integrate

identities among these providers? User conveniences like password

integration and single sign-on might not be possible with disparate providers.

You may also have trouble with logging and service support and

provisioning. Maintaining a single identity among different providers using

different systems can be challenging, to say the least.

The other reason involves compliance and auditing.Just think about how

you're handling on-premises data center now. How do you fulfill compliancerequirementsfor your regulators, financial institutions and business partners?

What is the impact of identity across all of your business systems? How will

you know who can do what? Cloud-based computing magnifies these

obstacles, but with the added complexity of different user interfaces,

reporting platforms, data security and geographical residency attributes.

Some vendors have an eye toward integrating identities across various

providers. You may have already seen this with popular social networking

sites as the bedrock: Many upstart cloud providersand consumer service

providers allow users to create accounts and be authenticated using Twitter,

Facebook, LinkedIn and other sites. Obviously, enterprise and business

corporate customers are not going to be interested in forming the basis of

their online identity systems using Facebook accounts, but this is an area

that CIOs should watch in coming years.

The future of Cloud Identity as a Service

As the coming years unfold, you'll see an increase in the utility of Federation

as a Service. Organizations -- in particular, larger corporate customers -- will

decide that given the current state of affairs, they should become the service

providers for identity: authentication, authorization and accounting.

Businesses will invest in systems that allow users to federate their identities

among on-premise systems, mainframes that are still in use as line-of-

business applications, and cloud services -- in effect, reversing the roles of

customer and provider. Businesses of all sizes will demand of their cloud

providers the ability to consume identity information from their on-premises
http://searchcio-midmarket.techtarget.com/Business-software-guides-for-the-midmarket-CRM-ERP-Web-20-and-morehttp://searchcio-midmarket.techtarget.com/news/2240036577/Cloud-computing-tests-information-security-strategy-limitshttp://searchcompliance.techtarget.com/news/2240112706/Survey-Security-compliance-often-lacking-in-cloud-computing-strategyhttp://searchcompliance.techtarget.com/news/2240112706/Survey-Security-compliance-often-lacking-in-cloud-computing-strategyhttp://searchcio-midmarket.techtarget.com/tip/Cloud-computing-basics-for-nonprofits-Raining-pennies-from-heavenhttp://searchcio-midmarket.techtarget.com/tip/Can-you-use-Twitter-for-business-successfully-Six-mistakes-to-avoidhttp://searchcio-midmarket.techtarget.com/tip/Can-you-use-Twitter-for-business-successfully-Six-mistakes-to-avoidhttp://searchcio-midmarket.techtarget.com/tip/Cloud-computing-basics-for-nonprofits-Raining-pennies-from-heavenhttp://searchcompliance.techtarget.com/news/2240112706/Survey-Security-compliance-often-lacking-in-cloud-computing-strategyhttp://searchcompliance.techtarget.com/news/2240112706/Survey-Security-compliance-often-lacking-in-cloud-computing-strategyhttp://searchcompliance.techtarget.com/news/2240112706/Survey-Security-compliance-often-lacking-in-cloud-computing-strategyhttp://searchcio-midmarket.techtarget.com/news/2240036577/Cloud-computing-tests-information-security-strategy-limitshttp://searchcio-midmarket.techtarget.com/Business-software-guides-for-the-midmarket-CRM-ERP-Web-20-and-more


4/14

Page 3 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

directory services. "Being their own customers" allows midmarket companiesto solve challenges in several ways.

First, they will maintain the ultimatecontrol of identitycentrally, and permit

services to consume the information necessary to provide services on an ad

hoc basis. Companies will also keep data safeguarded within the confines of

the corporate network, and allow services to get only "yes or no" information

from the on-premises federation service. They will also enable smoother

rollout of other cloud-based services by exposing standardized application

programming interfaces that those services can consume, and then

authorizations that those services can exchange with others. Finally, byadapting this method, they will permit assurance that regulatory and

compliance requirements are still being met. The customer is still in control of

authorization and accounting, as well as ensuring that the appropriate

logging is taking place and ensuring full transparency.

All in all, don't jump into cloud identity management anytime soon. Identity

Management as a Service is not ready for primetime. Instead, look for ways

to expose your current identity services through federation, and then push

cloud-based service vendors to consume that information from your on-

premises resources.

About the author

Jonathan Hassell is president of 82 Ventures LLC. He's an author, consultant

and speaker in Charlotte, N.C. Hassell's books includeRADIUS, Learning

Windows Server 2003, Hardening Windowsand, most recently, Windows

Vista: Beyond the Manual. Contact him at [email protected].
http://searchcloudsecurity.techtarget.com/video/Gartners-Neil-MacDonald-on-lacking-cloud-computing-security-standardsmailto:[email protected]:[email protected]://searchcloudsecurity.techtarget.com/video/Gartners-Neil-MacDonald-on-lacking-cloud-computing-security-standards


5/14

Page 4 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

Intro to two-factor authentication in Web authentication scenarios

Intro to two-factor authentication in Web authenticationscenariosAjay Kumar

Recently Apple joined a growing number of major consumer brands likeFacebook, Google, Microsoft and PayPal in offering two-factor authentication

(2FA) to help customers better secure their user accounts against hacking.

For Apple Inc., the new feature is designed to block unauthorized changes to

iCloud or iTunes accounts and prevent attackers who steal Apple IDs from

making purchases using the credit cards stored in customers' iTunes and

Apple store accounts.

While most information security professionals are quite familiar with the

concept of two-factor Web authentication, for those who aren't, it is a more

rigorous and complex method of authenticating an account then with a

simple password-only process. In this tip, we'll examine the benefits,

challenges and technical considerations of implementing two-factor

authentication in a consumer-facing website environment.

An introduction to two-factor authentication

A password is inherently weak. It can easily be lost or forgotten; many people

write their passwords down where they can be seen by others; some use the

same password over and over or use weak passwords that can be easily

guessed.

The use of two-factor Web authentication ensures that this won't happen. A

password is one of two necessary authentication factors that must be

provided before access is granted. All 2FA systems are based on two of

three possible factors: a knowledge factor (something the user knows, like a

password), a possession factor (something the user has, like a token; more

on that below), and an inherence factor (something the user is, such as a


6/14

Page 5 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

fingerprint). In this scenario, even if a malicious party obtains a person'spassword, he or she would not be able to provide the relevant second

element needed to complete the authentication process. This lowers risk and

the potential for unscrupulous behavior, as a compromised password alone

is not enough to compromise the authentication system.

In the enterprise, two-factor Web authentication systems rely on hardware-

based security tokens that generate passcodes; these passcodes or PINs

are valid for about 60 seconds and must be entered along with a password.

In a consumer-oriented Web-based environment, it's cost-prohibitive for a

service provider to distribute physical tokens to each and every individualuser.

Instead, most websites ask users to undergo a one-time registration process

during which users register one or more of their mobile devices with the

website provider. This is a trusted device under the users' control that can

receive a verification code via SMS or another means to verify the user's

identity.

Any time a user signs into the website, a passcode is sent to the registered

device. The user must enter the password and verification code to fully sign

in and use the services.

2FA Web authentication: Challenges and considerations

In consumer-oriented environments, the challenges lie in the complexity of it,

where the consumers have access to more than one service from the service

provider and each requires seamless and secure transactions. If the second

factor of authentication is not secure then it's not worth implementing at any

cost. Thus it presents a critical and challenging requirement that the 2FA

system should be protected in such a way that the hacker or attacker cannot

get to it and compromise its integrity.

Further, it's difficult to integrate two-factor authentication seamlessly with an

entire service portfolio or set of Web products. It requires the website and

product development teams to understand changing consumer needs and

business scenarios so that increased customer security doesn't negatively

affect sales, registrations or other metrics of business success.


7/14

Page 6 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

Another challenge is interoperability; every organization does business with

other organizations, and users or consumers access other providers'

services. So interoperability becomes an important challenge to address

while implementing the 2FA. This involves considerations such as whether to

buy or build a 2FA product that is based on an industry standard (the

burgeoning FIDO Allianceis a compelling new option), and whether to plan

for interoperability with the authentication mechanisms offered by other major

Web brands, like Facebook or Google. Don't underestimate the challenge of

implementing an interoperable, user-friendly 2FA system that keeps

consumer account details secure.

Be sure to consider exception scenarios such as when a user can't receive a

text message while traveling overseas. The solution might be an app for

smartphones or tablet/laptops that can generate security codes on its own

with simple steps to set up the app before starting the travel.

Web 2FA costs

The costs associated with planning, procuring, deploying and supporting a

Web authentication system must be considered early on. There are one-time

development and deployment costs, including the

development/customization, installation and configuration of the system, and

the cost of customization and integrating it with other applications. There are

also ongoing system infrastructure costs for hosting the system.

Finally, factor in support costs for ongoing support and administration of a

2FA solution, including helpdesk staff members who can help consumers

resolve their issues in a timely fashion.

To lower costs, organizations can subscribe to SaaS securityvendors that

provide a two-factor authentication service for combining cloud-based

delivery and self-service administration with flexible authentication methods

with low per-user costs. They are also easy to provision and inexpensive to

maintain.

Every Web service provider should consider using two-factor authentication -

- or begin moving Web authentication strategies in that direction -- to better
http://searchsecurity.techtarget.com/video/PayPal-CISO-hopes-FIDO-Alliance-can-help-replace-weak-passwordshttp://searchsecurity.techtarget.com/magazineContent/Carefully-evaluate-providers-SaaS-security-modelhttp://searchsecurity.techtarget.com/magazineContent/Carefully-evaluate-providers-SaaS-security-modelhttp://searchsecurity.techtarget.com/video/PayPal-CISO-hopes-FIDO-Alliance-can-help-replace-weak-passwords


8/14


9/14

Page 8 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

Others may focus on one or a few well known authentication methods suchas one-time password (OTP) tokens and out-of-band(OOB) authentication

methods.

Use cases for two-factor authentication

Enterprise IT systems provide specific capabilities to specific users; for

example, the tasks performed by a system administrator differ from those a

security analyst or financial analyst performs. Authentication is a critical

business process that connects users to applications and other resources

without exposing data and processes to which users aren't authorized.

In today's complex and cloud computing age, enterprises can adopt a two-

factor authentication option to support one or more use cases to better

protect enterprise assets and business data against unauthorized access.

Those use cases include the following:

1. Internal or local access: Employee access to critical business or

cloud-based applications, and/or administrator access to corporate

servers and network devices.

2. External or remote access: Remote or mobile employee access to

the corporate backend systems via the VPN or portal access.

3. Common network entry points: Between the public

network/Internet and the internal corporate network, facilitating

secure access to enterprise services like email or the VPN.

Two-factor authentication options

2FA as a technology has matured in recent years and technology costs have

gone down significantly. While there have been evolutions and

enhancements in the technology, now employees no longer need to always

carry a cumbersome token device with them. A simple mobile device carried

by every employee today can be used as a second authentication factor to

deliver the secure authentication code instead of a tokento protect the

enterprise assets from hackers or attackers.

Some major two-factor authentication vendors are Entrust, RSA, SafeNet

and Symantec; all offer established, broad technology options and a range of

viable use cases for enterprises.
http://searchsecurity.techtarget.com/answer/What-should-an-enterprise-look-for-in-a-password-token-and-a-vendorhttp://searchfinancialsecurity.techtarget.com/news/1525331/Out-of-band-authentication-boosts-security-but-isnt-failsafehttp://searchsecurity.techtarget.com/tip/Secure-tokens-Preventing-two-factor-token-authentication-exploitshttp://searchsecurity.techtarget.com/tip/Secure-tokens-Preventing-two-factor-token-authentication-exploitshttp://searchfinancialsecurity.techtarget.com/news/1525331/Out-of-band-authentication-boosts-security-but-isnt-failsafehttp://searchsecurity.techtarget.com/answer/What-should-an-enterprise-look-for-in-a-password-token-and-a-vendor


10/14

Page 9 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

RSA, the security division of EMC Corp., has its well-known brand of RSA

SecureID one-time password hardware and software-based tokens. In

addition, it offers adaptive authentication, which is used by large enterprises

to take the advantage of contextual authentication/adaptive access control

capabilities. Identify verification, another option, is a managed service that

offers identity proofing with validation based on end-users' life-history

questions and uses interactive user authentication processes. Most of its

competitors sell similar products.

The implementation pricing of 2FA basically depends on the scenarios. Forexample, the industry verticals, and the size of the enterprise, the usage

pattern, user geography, helpdesk presence and sensitivity of the business

or data and would cost between approximately $65,000 and $2 million for big

financial and retail banking verticals.

An example of a newer but established type of 2FA is the one offered by

PhoneFactor (now owned by Microsoft). PhoneFactorleverages the user's

existing phone in lieu of a token or other dedicated 2FA device, it's

convenient for users and is a cost-effective, secure platform for enterprises.

During the first step of the authentication process, the user must enter his

user name and password. In the second step, the user can choose one from

among these methods: a) PhoneFactor calls the user and user simply

answers by pressing # on the phone keypad, b) PhoneFactor sends out a

text message containing the passcode and then the user replies to the text

message with the passcode, c) PhoneFactor pushes a notification to the

PhoneFactor app on the user's smartphone and the user just taps

"authenticate" in the app to complete the authentication process. For small

organizations (up to 25 users), the vendor offers a free version.

Considerations in selecting a two-factor authentication product

Two-factor authentication technology helps enterprises protect user

credentials and reduces the number of incidents related to unauthorized

access and theft of credentials in the corporate environment. In addition, it

brings the enterprise in compliance with the regularity standards and meets

the compliance requirements. For example, PCI DSS 8.3 reads, "Incorporate


11/14

Page 10 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

two-factor authentication for remote access to the network by employees,administrators and third parties."

Not all enterprises must be PCI compliant, but the PCI DSS is considered a

baseline set of requirements, so organizations that don't already have a 2FA

strategy in place would be wise to begin the process, which of course

includes evaluating vendor technology.

Organizations should consider the recommendations listed here while

identifying their 2FA needs and plan the project accordingly.

Understand the corporate IT environment -- This could include

understanding the technologies landscape that's used inside or

outside the enterprise to access information or data and knowing

how the IT policies are enforced and what protections are in place.

For example, are the employees allowed to access corporate

information through mobile devices? Or is the enterprise using SaaS

applications hosted by SaaS providers, and do the SaaS providers

support the 2FA security measures to protect the data.

Find the target users--Is 2FA considered only for selected

business units like sales or marketing departments or for remote

works and partners as well? In general, most organizations only offer

2FA for VPN access. Limit the implementation, at least in the early

stages, to specific use cases.

Adopt a risk-based approach--Most organizations today

implement a technology if it will help reduce risk. So alternatively

when there isn't a clear scope or group of target users, offer 2FA

only to users who access business critical information or intellectual

property, whether the user is an employee or third party and is

accessing the information from within the corporate network or from

a remote location.

Avoid unnecessary cost and complexity -- The overall cost of the

implementation can vary vendor to vendor depending on the size

and requirements of the enterprise. Take into account the number of
http://searchsoftwarequality.techtarget.com/tip/SaaS-application-security-Risks-and-best-practiceshttp://searchsoftwarequality.techtarget.com/tip/SaaS-application-security-Risks-and-best-practiceshttp://searchsoftwarequality.techtarget.com/tip/SaaS-application-security-Risks-and-best-practiceshttp://searchsoftwarequality.techtarget.com/tip/SaaS-application-security-Risks-and-best-practices


12/14

Page 11 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

users, office locations, the global presence of the enterprise, plussupport and help desk coverage factors when determining the cost.

Two-factor authentication implementation challenges

Two-factor authentication is not easy to implement. For instance, security

firm Duo Security recently reported a serious flaw in Google's two-step login

process. The problem, which was soon fixed, stemmed from Google applying

the feature across its many services. Despite being one of the Internet's

giants, while its technology was solid, its implementation was flawed.

To be clear, such a broad undertaking like 2FA is bound to havecomplications in any organization. But the lesson is that while implementing a

single, secure infrastructure-wide two-factor authentication platform is not

without stumbling blocks, being aware of likely problems before you begin

can help lessen the effects.

For example, legacy software and services must often be reworked to handle

2FA or may require an authentication framework that could be used among

different in-house or outsourced tools to support the two-factor authentication

enterprisewide. Sometimes it becomes clear that the two-factor

authentication framework selected simply requires too much customization,

something that can be difficult to determine until software architects actually

get to work on integration aspects of the implementation.

Two-factor authentication will likely be seen by users as a hassle. They may

find it tedious to have a trusted device or hardware token with them at all

times in order to log in. So some authentication scenarios may require an

option for users to skip two-factor authentication for frequently accessed

systems.

These and other pain points of a two-factor authentication implementation

may be eased with the following measures:

Select a factor that fits enterprise needs. The options include

hardware-/software-based tokens or sending SMSmessages to

smartphones. Enterprises that are geographically centralized will
http://searchmobilecomputing.techtarget.com/definition/Short-Message-Servicehttp://searchmobilecomputing.techtarget.com/definition/Short-Message-Service


13/14

Page 12 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

appreciate physical tokens, while others with a constantly movingworkforce may wish to use software-based tokens or mobile options.

Consider implementing a phased approach.Abrupt,

enterprisewide cutovers don't make anyone happy. At the same time,

application and system owners will find it easier to migrate everyone

at a single go. But that just creates a nightmare for end users and

help desk staff members who have to support and address the

issues that occur during the migration. It could shoot up the project

cost too.

Provide sufficient user support. Getting the back-end servercomponents installed and configured takes a while, and integrating

and testing applications takes time too. Self-service, sufficient

training and a well-staffed helpdesk and support team will be

essential to get users accustomed to the technology and able to

successfully navigate through the transition period.

Two-factor authentication is becoming an essential element of modern

enterprise IT security programs, yet it remains complex and difficult to

understand, implement and manage. Organizations must understand that

traditional and inherently weak password-only authentication mechanisms

may no longer serve as an adequate security control. Furthermore, amid

today's threat landscape, it's apparent that two-factor authentication is

necessary in order to keep unauthorized users from obtaining access into

key corporate systems and keeps persistent, sophisticated attackers at bay.


14/14

Page 13 of 14

Contents

Cloud Identity

Management as a

Service: Not quite


Intro to two-factor


authentication

scenarios

Two-factor

authentication


best practices

Free resources for technology professionalsTechTarget publishes targeted technology media that address your

need for information and resources for researching products,

developing strategy and making cost-effective purchase decisions. Our

network of technology-specific Web sites gives you access to industry

experts, independent content and analysis and the Webs largest library

of vendor-provided white papers, webcasts, podcasts, videos, virtual

trade shows, research reports and more drawing on the rich R&D

resources of technology providers to address market trends,challenges and solutions. Our live events and virtual seminars give you

access to vendor neutral, expert commentary and advice on the issues

and challenges you face daily. Our social community IT Knowledge

Exchange allows you to share real world information in real time with

peers and experts.

What makes TechTarget unique?TechTarget is squarely focused on the enterprise IT space. Our team of

editors and network of industry experts provide the richest, most

relevant content to IT professionals and management. We leverage theimmediacy of the Web, the networking and face-to-face opportunities of

events and virtual events, and the ability to interact with peersall to

create compelling and actionable information for enterprise IT

professionals across all industries and markets.

Related TechTarget Websites

authentication best practices for 2013

Documents