Get your FREE 30-day trial.
Please complete all fields.
As businesses strive to increase security measures to protect their systems and data, one important capability that has emerged is two-factor authentication. In a recent survey more than 66% of enterprises are adopting stronger authentication means beyond user names and password. Using two-factor authentication, organizations can protect identities against security hacks and unauthorized access. While two-factor authentication enables a more secure organization, businesses are also need to consider key factors that could impact user adoption. Lets take a closer look at what organization can do to turn this into an effective user experience as well security practices that can help drive adoption.
At the outset, two-factor authentication is about what a user knows and what they have. A typical two-factor comprises of a primary user credential validation followed by a token challenge. Passwords are something they know and token is provided to them on a device they have. While organizations have made strides in employing primary authentication through a form based login or federated Single Sign-On, they still need to consider effective means for a second factor authentication. As they are ready to implement two-factor authentication solution, they need to consider if they are truly following secure practices. Simply put, how effective is their primary and secondary factors of authentication. Some organizations have resorted to using security questions as a secondary factor. While employing second factor authentication techniques such as secret questions may be cost effective they are also considered “something you know” and hence may not be effective when it comes to security practices. On the other hand, using one time tokens definitely helps as they are something generated and presented on a device or channel a user has access to.
Another area to consider is in-band versus out-of-band verification channel. This is particularly true when you have security risks in your network infrastructure. An in-band mechanism operates on the same channel as the primary one, it is prone to significant risk if the primary channel is breached. On the other hand, out-of-band verification happens on a different channel and can help alleviate security risks. An example of an effective solution is using mobile app approval based verification upon primary authentication. Upon pairing mobile devices to a user profile, this mechanism can be used for out of band 2-factor authentication.
As a way to help drive user experience, organizations need to seek avenues that makes the user login experience a seamless one. Firstly, allowing users to authenticate with credentials they already know, greatly enhances this experience. Secondly, when implementing a two-factor authentication, how available is the token? Organization have to take into account latencies with respect to email, SMS or other channels. This can also be complex based on validity and expirations of the tokens. Considering solutions that use hard or soft tokens can help as they are available and easily accessible by users and provide a time based code that is more secure.
Another area to consider is the cost of the solution. While it is important for organizations to incorporate authentication schemes such as two-factor, they also need to consider solutions that are cost effective. Specifically, this relates to the channel through which the second factor authentication is handled. While mechanisms such as SMS, Email etc., may seem cost effective to organizations, it may be cost prohibitive to users if they incur data service costs that could result in a burden of “paying for login.” On the other hand, organizations can use hard or soft tokens to take the cost away from users, but need to accommodate this solution to their overall IT development and maintenance budget.
This area relates to scenarios when the second factor channel or the device is not accessible by users. Organizations need to factor in the reliability of such channels/devices and apply support practices that help users in such situations. In such situations, organizations not consider an effective one-time password, but also how soon can they reinstate the channel/ device to allow for users to continue to use two-factor authentication. Latencies in such practice can elevate security threats. This is also true for discontinuing user access when a user leaves the organization.
While enterprises have many options and choices here, they need to employ solutions that are intuitive to users and drive appropriate security practices. This balance will greatly help organizations to protect customer information and provide them an experience that promotes trust as well drive greater adoptions.
Salesforce AuthenticatorSalesforce Authenticator provides a well-balanced approach for organizations in meeting the above needs. Its not just secure in terms of complying with industry standards, but also designed and built for enterprises looking for a well-balanced two-factor authentication solution. Here is a white paper that provides greater insights around how organizations can benefit from adopting this tool to help implement two-factor authentication solutions.
About the Author
Suchin Rengan is a global hub lead for the Identity and Access Management domain within the Customer Success Group at Salesforce.
