Easy 2-Factor Authentication You Can Afford

Opinion: Everyone knows two-factor authentication is the better way to secure networks, but it's also an expensive pain to implement...until now.

Ask any security guru. Whats makes for better security, two-factor authentication or the typical one-step username/password combination?

Even Homer "Burns Nuclear IT Assistant" Simpson would know that its two-step. Of course, Homer would probably think you were talking about dancing, but you get the point.

So why arent we all carrying authentication cards for our computers, have fingerprint readers on our laptops and retina scanners at our office doorways? Because implementing two-step authentication is both difficult and expensive to implement.

First, most two-factor authentication methods require you to buy additional equipment. Thats never cheap. Then, you need to integrate the two-factor system with your existing network authentication infrastructure. That can lead to some staggering IT overtime bills.

I know. Ive been called in to see the aftermath of an attempt to integrate two-factor authentication into an enterprise network that was using AD (Active Directory) and NT Domains for authentication in a mixed mode LAN. "Ugly" wasnt anything like strong enough to describe that particular train wreck.

Then, lets say you want to incorporate two-factor authentication with SSO (Single SignOn). Perfectly doable, but again, it can be a real pain to get it working properly.

Lets say you do all that work, though. The system works perfectly...if it wasnt for those darn users! The USB key? The one that serves as the second factor? It now lives perpetually in the PCs USB port.

The laptop fingerprint scanner? Whoops, Joe Salesman left his ThinkPad T61 in a taxicab and he needs to log in from a desktop at a coffee shop.

If youre in IT, you know the drill. If users can find a way to avoid security, they will. If the user is on the road, according to the research company InsightExpress, theyre even worse. According to this Cisco-sponsored report, 73 percent of mobile users admitted they are not always cognizant of security threats and best practices. More than 25 percent also conceded they either hardly ever or never consider security risks and proper behavior, offering reasons such as "Im busy and need to get work done" and "Its ITs job, not mine" as justifications.


Click here to read more about two-factor authentication.

So is there any way that will let you quickly, easily and cheaply put two-factor authentication in place? As it just so happens, we think weve found one.

Jim Rapoza, eWEEK Labs director, recently reviewed a new two-factor service called PhoneFactor from Positive Networks. He loved it. The rest of the staff loved it. Our IT staff loved it.

Heres why.

First, theres the price: free. No, not free as in open-source software. Were talking free as in beer. Next, the second-step factor is, like the name says, the telephone. Thats it.

It works like this. You set up the free service to work with anything that supports RADIUS (Remote Authentication Dial-In User Service).

This is a common-as-dirt client/server protocol authentication service that almost everything supports. Once its set up, your user logs in, as usual, to the VPN (virtual private network), Web mail application, whatever, via Radius. Then, before letting the user in, the service rings them up on their phone number. Next, the user has to hit the pound (#) button.

Thats it.

No special hardware. No need to use only a particular PC. No integration headaches. No costs.

Whats not to love?

If Joe loses his phone, so what? He calls up IT and says, "Switch my PhoneFactor number to my hotel room," or his new pre-paid cell phone. Thats all there is to it. Hes able to get back into the system without any fuss or muss. Of course, if you want to get beyond the PhoneFactor basics, Positive Networks will be more than happy to charge you for such features as support, customization, better integration with your existing systems, etc.

I dont know what the extra costs are, but frankly, if I were a CIO, Id be happy to pay the bill. This has got to be the easiest way Ive ever heard of for implementing two-factor authentication. And, best of all, since it relies on ordinary telephones, if your mobile user has any way of getting on the net, he or she can also be securely connected with your network or applications.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.