As your company gets bigger, you may need to move on from password authentication. We take a look at your options

The foundation of any computer or network security strategy is access control — providing those who should have it with access to resources on the network and keeping everyone else out. The basis of controlling access is to be able to verify the identities of those authorised users; otherwise any intruder can pretend to be chief executive John Smith or Mary Jones in accounting, and sign onto the network.

The simplest way of authenticating network users is to require that they enter a unique password tied to their user accounts. Theoretically, each user is the only person who knows his/her password so if the correct password is given, the user's identity is proven.

Password authentication is the method used by most small businesses. It's easy and cheap and built into the operating system. You don't have to buy anything extra to implement it. And it works — most of the time.

Most of the time is enough for many small companies with low security needs. If you don't have any important trade secrets, confidential client information (such as credit card numbers or credit histories), sensitive employee information (such as medical histories or social security numbers), etc. on the network, you might not need to spend money on a more secure authentication method.

Organisational growth increases security needs
The problem is that as companies grow, their security needs often increase. More and more of your business records are digitised; you get government contracts or move into regulated fields such as health care, financial services, etc. You incorporate and become subject to a whole new level of regulatory requirements, privacy protections, and so forth. Your organisation's profile becomes higher, so you become more of a target for hackers and attackers who had no interest in your network before. The company spreads out geographically and hires more personnel, and implements remote access solutions to allow employees to connect from home or on the road, so that it becomes easier for a stranger to blend in and penetrate the network.

At this point, you've probably begun to think about network security. You may invest in expensive firewalls and intrusion detection systems to thwart attacks. However, it doesn't take a genius hacker with top skills to get into your network. Many intruders do so not by writing exploit code but by using social engineering (people skills) to find out legitimate user names and passwords.

A technical solution for a social problem
Con men (and women) have been with us since the beginning of civilised society. Social engineering is not a technical problem — the software is working exactly as it's supposed to, allowing access only after identity has been verified with the correct password. It's a people problem: people can be intimidated, charmed, or tricked into revealing their passwords, either directly or indirectly. Education can help reduce instances of social engineering, but as long as human nature remains the same, some folks will always be vulnerable to it. There is, however, a technical solution.

Multi-factor authentication makes things much more difficult for the social engineer. Password authentication is single factor authentication; it's dependent on providing something you know (the password) to prove your identity. Multi-factor authentication still requires that you provide a password or PIN, but goes a step forward and requires that you also provide something more. This can be:

• Something you have in your possession (a smart card or keyring token)
• Something you are (biometric identifiers such as a fingerprint, retinal scan or iris scan)
• Something you do (voice print analysis, handwriting pattern analysis)

When multi-factor authentication is required to sign onto the network or computer, even a social engineer who's managed to obtain a good password is out of luck without the second factor.

Scaling your new authentication plan
Multi-factor authentication can greatly increase your security, but implementing a biometric or card/token-based authentication scheme can be expensive. In addition to the equipment itself, there will be extra administrative time devoted to setting up and maintaining the authentication method.

For example, if you decide to go with smart card authentication, you'll need to buy card readers for each workstation, set up a computer (called an enrolment station) to create the cards, and purchase the cards themselves. An administrator will have to spend time setting up the hardware and software, making the cards, making new cards for employees who lose theirs, etc.

Many organisations begin their foray into multi-factor authentication with cards and tokens because the equipment is generally less expensive and there may be less resistance from employees and other network users than with biometric and behavioural methods that seem more intrusive. However, card and token methods have ongoing costs that biometrics don't have (you won't have to issue a user new fingerprints because he lost his) and you'll have to deal with the inevitable user who always leaves the card at home and can't get access, costing more in administrative time.

For that reason, companies may "move up" from card-based authentication to biometric authentication for greater security and convenience.

Whichever way you go, you don't have to implement multi-factor authentication throughout the entire network all at once if you have a large organisation. It may be easier — and more cost effective — to set up a pilot program first. You can make the switch in a single department or branch office, or only require multi-factor authentication for users with high levels of access privileges. This allows you to evaluate any problems that occur during the transition and be ready for them when you expand the new authentication method to more of your users. In addition, if you try out cards and find that they cause more problems than they solve, and decide you want to use biometrics instead, you haven't invested so much in the initial outlay for equipment and supplies.

User authentication is your first line of defence against intruders, so it's important that your authentication strategy evolve as your business grows. Don't be stuck relying on passwords alone to protect your network in an environment that demands a high level of security.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.