13 for ’13 Jumpstart: Multifactor Authentication
A few weeks ago we published an article called 13 IT Projects to Include in Your Plans for 2013. In that post, we suggested 13 great IT projects for you to consider. We decided to publish some follow-up articles to help you do just that.
Our fourth project suggestion was for Multifactor Authentication; here’s what we had to say:
It’s just too easy to guess people’s passwords, figure out their passwords and convince them to give you their password… single factor authentication is just not enough. Whether you use smart cards, tokens or biometrics, it’s high time you implement two-factor authentication for access to your critical systems.
With that in mind, here are some tips to help you jump start this project:
The most important technical decision for multifactor authentication (2FA) will be the scope. Do you want to use 2FA for access to all systems? Only to network systems? Only for remote access or webmail? And so on. While the immediate answer might be “all systems” you need to consider just how large a project that could be, whether your existing systems can even use 2FA, and the costs associated with such a broad deployment. The second factor in 2FA is something that every user of the target systems will need, and that can become quite costly if you must deploy for everyone. If you start with the absolute requirement that all systems MUST be protected by 2FA, you may be setting yourself up for failure. It’s a great goal, but if you have any legacy in your environment that cannot be replaced, you may have to make compromises.
List all of your various systems and rank them by security risk if they don’t have 2FA, and how easy or difficult it would be to add 2FA on to them. That will help you decide if it is reasonable to deploy for all systems, or if you should limit to only those who are at most risk, can be most easily adapted, and have a manageable number of users.
Identify technology candidates
There are many different technologies and vendors for 2FA on the market. You can use smartcards, client side certificates, one-time password (OTP) tokens, cell phones, software tokens, and more. Each of these will have various costs, and may or may not be something you can deploy to everyone. If you have users in other countries, you might find that you cannot legally deploy some of these technologies if they are in an area covered by export restrictions, or you may find that your existing hardware just won’t support some of the technologies. While this is early on in the process, picking one or two possible 2FA factors now can help you start to assess the rest of the project. Just be prepared to have to go back to evaluate others if you find your first choice just won’t work with a key system or user base.
Evaluate your systems
Practically any system you have can accept username and password as authentication material. Most won’t be able to accept some third input, such as a PIN. Whether you retrofit your systems, or your authentication, depends on what you have and what you need. If all of your systems can rely upon a central authentication system, and accept username and password as criteria, then OTP tokens, software tokens, and cell phone-based systems are all possible. Smartcards are great for authenticating to specific operating systems, but not as much for many applications. You may want to consider implementing 2FA with Active Directory, and then ensure that all your applications, services, and other components can authenticate against AD (natively or using LDAP). This may be much easier to accommodate than to bolt on 2FA to many diverse systems.
Most 2FA solutions will require infrastructure, modifications to existing systems, and other changes that may exceed your tolerance for production, so have a test lab setup with representatives of all systems you wish to test with 2FA. Make this test lab virtual, and set it up so you can revert easily, as you will probably want to test more than one solution to find the best one for your environment.
Perform a pilot
Once you have a potential 2FA solution selected and the infrastructure in place, perform a pilot. Have both IT users and others try out the system for at least a couple of weeks to see how well it performs, how easy it is to use and to identify any issues. Evaluate those issues and make sure they can be remediated or accepted, or determine if you need to try something else. Use your pilot to be sure this is something you want to deploy to a broader population, and to work out all the challenges.
Deploy to the user population
If you have your solution, it works with all the required apps, and you are ready to go, start deploying it to the broader user population. This is going to be a big change to most of them so, if at all possible, roll it out in phases to a small group at a time so that you can support the inevitable questions and user challenges that will arise. You want to avoid a cutover approach at all costs, as that would be a disastrous end user experience.
Evaluate new applications and technologies
With 2FA in place, you need to make sure that any and all new applications, services, or systems that are considered for your environment will “play nicely” with your 2FA solution. The success of your 2FA solution depends upon it being used for as many solutions as possible. If your scope defined that only apps accessed from outside the corporate network must use 2FA, you will find this to be less of an issue for most apps. But if you want everything to authenticate against 2FA, you need to be prepared to have fewer choices for any specific need.
So now you have some tips to help you get started on multifactor authentication as a project, along with some of the key things to be sure you include to make this project a success. Management sponsorship, project management and consensus are all as important as the more technical parts, even if they aren’t quite as interesting. Multifactor authentication can make a big impact on the security of your network, but if done wrong, it can also become burdensome to your users, so it’s in the best interests of the entire company to make sure this is a success – which you can do, if you follow the tips above.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!