In a battle to combat online identity theft, phishing and other online fraud whereby the only defence against attackers is a password, organisations are adding extra layers of security at all levels to protect valuable assets using two-factor authentication. Yurong Lin, CEO of Deepnet Security investigates this added layer of security.

Authentication ensures the person

accessing data, whether it be via a virtual private network (VPN) connection, remote desktop, email application (Outlook Web Access, Outlook Anywhere) or an online shopping portal, is who they claim they are and that they are authorised to access the data. Traditional authentication systems include only one level of authentication such as passwords.

Identity theft in the UK costs businesses on average £1.2bn according to research from the Home Office, fuelling the government's decision to push identity cards in a battle against the growing number of online identity crimes. Organisations are faced with a similar problem, whereby uninvited users are able to penetrate security and access corporate data, and of course the age-old problem of users logging on under another person's identity.

Two-factor authentication adds stronger security as users need to authenticate themselves with extra credentials in addition to their passwords. Two-factor authentication requires two out of the following three factors: something you know (e.g. password or PIN), something you have (e.g. security token, mobile phone or USB stick), something you are (e.g. fingerprint or iris recognition).

However, selecting an appropriate two-factor authentication system can be difficult and expensive, as there are many products on the market that provide different types of technologies.

A unified authentication is a single platform that integrates all types of user credentials and authentication methods, enabling organisations to deploy strong authentication across all types of applications, such as remote access, internet access and mobile applications, for all groups of users such as employers, contractors and business partners.

A unified authentication system is, therefore, more user-friendly, cost-effective and future-proof. In a bid to tackle card-not-present fraud (CNP), Visa recently announced the availability of the EMUE card, a credit card powered with a LCD display and mini-keypad that generates one-time passwords for account logon and online transaction.

Impact of regulation

Regulation is fuelling the uptake of two-factor authentication, with many organisations using the technology to replace insecure passwords and secure assets in addition to meeting regulatory compliance such as HIPAA, Sarbanes-Oxley and FSA.

The most recent regulatory pressure by the government is the Code of Connection (CoCo) standards, which will define the future of communications between local and central government.

The regulation requires local authorities to implement rigorous security processes and IT controls, as well as provide secure access to data through multi-factor authentication.

The CoCo deadline has recently been extended to 30 September 2009 and it is apparent that councils are going to face a real threat of ID theft and loss of network connection to central government departments if they don't comply by this date.

Whilst councils are looking for a quick fix to the problem, it is clear that there is a lack of knowledge around the topic, which is holding them back and causing widespread confusion of what is required and who to turn to for a solution.

Achieving CoCo compliance isn't a quick job. There are many different areas, which councils must comply with. Five key areas represent the biggest challenge for councils: securing remote devices, developing secure processes, managing software centrally, managing a cultural change and maintaining ongoing compliance.

For remote devices to be CoCo compliant they must be secure, encrypted and only given access to the network through a secure virtual private network (VPN) using two-factor authentication.

The simplest way to achieve this is to provide a unified authentication platform to prohibit unauthorised access to government networks, without the need to increase password complexity. Greater complexity invariably means users forget their passwords, and need to call the IT help desk for a rest, or put them at risk by writing them down.

Authentication approaches

The unified approach

Unified authentication provides a multi-factor authentication service on a single platform, which enables strong authentication for different types of applications and different groups of users, using different types of authentication methods. Organisations can achieve a lower total cost of ownership (TCO) with unified authentication than using a traditional two-factor authentication system.

Hardware tokens

The most common form of the 'something you have authentication' are hardware tokens: dedicated electronic devices that generate one-time passwords.

Software tokens

Similar to hardware tokens, a software token is a new generation of devices that can create a online-time password. Instead of using dedicate, expensive hardware devices, software tokens use the device that users already have, such as mobile phones, computers, and USB sticks.

Virtual tokens

Virtual tokens do not require an additional physical device. Common implementations of virtual tokens employ technologies such as secure cookie, user online profiles and IP locations. Virtual tokens can also refer to technologies that use user's computer devices as the authentication tokens.

Biometric tokens

Users can authenticate via physical biometrics such as fingerprint or iris recognition and enter a PIN or password to gain access to data. However, this type of authentication is only suitable in physical access applications. For online applications, behavioural biometrics such as keystroke dynamics and voice recognition are more appropriate and cost-effective, as they do not require an additional hardware scanner.

Digital certificates

A digital certificate is a PKI solution for enabling the enhanced user identification and access controls. Digital certificates are often stored in computers, but can also be stored on smart cards or USB sticks for use when travelling.

Compliance and lowering TCO

Different applications require different levels of security, hence users possessing varied forms of security protection. Achieving the right balance of authentication security without compromising the user experience or the bottom line has always been a challenging task for organisations. Therefore, a single platform with multiple authentication methods can provide peace-of-mind and is also cost-effective, in addition to providing strong protection of assets.

Achieving compliance through two-factor authentication can appear complex and confusing, but organisations must address CoCo head on now by reviewing security processes, so that they are not burying their head in the sand and have enough time to implement any necessary changes before the deadlines arrives.