Multifactor authentication provides the pieces for peace of mind

According to Report Linker, the multifactor authentication market is expected to grow 17.3 percent from 2012 to 2017 to a market worth US$5.5 million. Something we have indeed removes the problem of forgetting something we know, but now the object(s) must be with the user at the time that he or she wants to be authenticated.

"In the realm of physical security, the failures of companies and governments to protect our private information (personal and financial) are a lesson that what once served as sufficient security (username and password) is no longer acceptable. We have come to accept that card access provides a low level of security," said Adam Shane, Senior Systems Design Architect, Amag Technology (a G4S Technology company). "Cards can be duplicated, spoofed, modified or stolen. There is nothing that validates the authenticity of the card, nothing that binds the card to its owner, and in some cases, nothing to verify the issuer still trusts the owner to have the card."

The driving factor behind multifactor authentication is to increase the security level in an organization and only allow entry for permissible personnel, said John Davies, MD of TDSi. Multifactor authentication is becoming more important because more systems are connected over the Internet and are exposed to huge numbers of people.

Aside from existing compliance and regulatory pushes, the cloud is another driver for deploying multifactor authentication. "Traditional barriers that have been deployed to secure IT systems, such as firewalls, are becoming less relevant due to a growing move toward the cloud, which means an increasing amount of company data no longer resides on company networks," said Julian Lovelock, VP of Product Marketing for Identity Assurance, HID Global (an Assa Abloy company). "Traditionally, enterprises have stored key IT resources behind a firewall on corporate servers, or in a ‘walled garden.' But, with the rapid growth of the remote workforce, the time and effort enterprises have put into reinforcing that ‘wall' have seemingly been wasted, as more data begins to reside outside of the corporate network. All of these trends are leading toward a model in which organizations focus on protecting individual resources with strong authentication, as opposed to simply protecting the wall."

Chris Cardell, CEO of SyferLock Technology, agreed. Megatrends, such as the emergence of cloud computing, server and desktop virtualization, the proliferation of mobile technologies and bring-your-own-device possibilities, the increase in employees requiring remote access, and the increased use of social networking in the work environment, have created new vulnerabilities and risks for companies. "Users expect to be able to access information from virtually anywhere via the Internet and mobile devices such as smartphones and tablets, and that means it is harder than ever for IT and security executives to ensure that all the organization's information assets are protected," Cardell said.

Growth Verticals
Growth verticals for multifactor authentication include hospitals, banks, airports, data centers, large corporations, IT server rooms, universities, research labs, government departments and other organizations working with sensitive materials such as defense. "In some industries such as health care and financial services, the emergence or evolution of regulatory requirements is forcing even more stringent implementation for strong authentication. For instance, in the U.S., health care organizations must be compliant with the health insurance portability and accountability act (HIPAA). Relying solely on usernames and passwords will no longer be sufficient for secure access to data, particularly sensitive information such as patient records," Cardell said.

The US government has also mandated that access to physical and cyber assets in the executive branch requires use of a personal identity verification (PIV) card, Shane said. "This card supporting PKI validation is federated and therefore trusted across all agencies, and supports multifactor authentication (credential, PIN and biometric). Not all systems will be upgraded to support this high-end authentication token as PIV cards can cost the US government about $100 per person and that does not include the regular maintenance overheads. But progress is being made."

Rick Focke, Senior Product Manager at Software House (a Tyco Security Products company) is optimistic about the retrofitting projects and potentials of biometric based solutions. “The US federal government is a large market and one where the need for upgrades and additional solutions are still needed. In this market and in others, as installation volumes rise, costs should begin to decrease.”

The increase in employees, contractors and e-commerce customers requiring secure access, both remote and on premise, to computers, networks and sensitive information are also drivers in the demand for stronger multifactor authentication approaches. For instance, multifactor authentication adoption in banks in the U.S. is not mandated, but more customers in this market are moving to more secure solutions, Shane said. "We see this as a general trend. There are many beneficial reasons to move to strong authentication such as, to reduce financial losses from crime or fraud, improve auditing capabilities (non-repudiation), reduce cyber espionage and terrorism incidents, improve public relations, and the list goes on."

Complex and Costly?
Cost and usability are perhaps the two greatest concerns from enterprises/end user when implementing multifactor authentication solutions. "Adding biometric authentication for identity binding requires not only a biometric capture device at every terminal, but also requires licensing software to perform the biometric comparison," Shane said. "In biometric authentication, there are different ways to handle the process of binding an individual to a card or their credential. In one case, the user's biometric map or template is stored on a card or in a computer database. If the binding process requires users to present their card/credential first, for reading identification numbers (known as a 1:1 match), then costs can be kept minimal as the ID number is used to pull users' biometric data from the protected storage and then the biometric match confirms they are the person they claim to be. Similarly, the presentation of the credentials could release the biometric data directly from the card. However, in other systems, a person may simply provide one biometric identifier (fingerprint, iris or other) and the system will match this against all samples in the database. If the best match exceeds a threshold for acceptance then it is assumedthey are that person. This is called a 1:N match or a search." Compared with a one-to-one match, one-to-many comparisons are expensive.

Multifactor authentication solutions also require the appropriate enrollment or registration software to build the identity database and to manage the identities. "This software can be quite expensive also," Shane added. "We try to help customers understand that there is a continuum of solutions from relatively simple to very complex. Their budget, security concerns, regulatory requirements and consequences are all considered in guiding them to an appropriate solution."

In the case of biometric security, end users may also be worried about purchasing a third-party or bolt-on biometric system that requires two separate devices at the door and two separate software systems being used in parallel. "Another concern is the rate of technology change within biometrics today," said Philip Verner, Regional Sales Director for EMEA, CEM Systems (a Tyco Security Products company). "An emerging biometric technology today can go end-of-line within a considerably short period of time and this can make end users hesitant when choosing a biometric solution. When considering Iris technology, patent or licensing modules used can also be a significant barrier for customers."

Throughput and convenience are still issues for users. For example, a system that requires extra layers of authentication equals an extra delay for individuals trying to enter a facility or an area. "Customers want to avoid time delays or bottlenecks at the door where there is a high volume of staff throughput. Where it may not be convenient to use multifactor authentication all day, we recommend that PIN and/or biometric security be enabled during certain times, for example, at night time when the premises are closed," Verner said.

Usage Considerations
Whichever security model is chosen, the total cost of ownership is a key factor in determining the value of a solution. First of all, end users need to evaluate the cost to use and maintain a typical username and password logon security system. Weak security can result in direct and indirect costs and devastating consequences, due to leaking sensitive information and resources to unauthorized users and intruders. This is not to mention issues resulting from noncompliance to industry regulations.

When evaluating a multifactor solution as an alternative, the hardware, software, system integration, installation, deployment, maintenance and device replacement must all taken into the equation. Besides the direct costs of solution purchasing and software licensing, there can be hidden costs involved. For instance, customers might need to take into account the cost of distributing hardware: tokens, smart cards or biometric readers. Support costs must also be taken into account as there will likely be an increase of support calls after the initial deployment.

These procedures are especially critical for those who do not have a proper risk assessment, and therefore are not clear on what their most important data or assets are or where they resides.

Security only works if the end user follows the policy. Quick and convenient solutions that do not disrupt daily routines are perennial favorites. What is required from any multifactor authentication system is not only enhanced security level but also functionality.

While most corporations purchase systems based on their current needs, scalability is another important factor to consider when evaluating multifactor authentication solutions. Some multifactor authentication systems require significant management when dealing with a high number of users. For instance, tokens can become difficult and expensive to manage due to the fact that they need to be replaced every few years.

Bumpy Yet Rosy
Cost continues to be a challenge, as budgets are tight. "However, the US government is providing funding for HSPD-12 upgrades through the OMB 11-11 memorandum with a stipulation that the money must go to installing multifactor authentication solutions," Focke said.

Current industries that recognize the need for multifactor authentication solutions represent a small market for vendors. "The larger commercial market sometimes is challenged to see the ROI in multifactor authentication when all of the infrastructure costs are considered," Shane said.

The lack of awareness about such solutions requires extra effort on market education. "I think that one significant challenge is the incorrect assumption that the only viable option for multifactor authentication is a one-time password (OTP), and the belief that if the OTP option isn't suitable, there are no other alternatives. The reality is that is not true, and that there are a large number of alternatives," Lovelock said. “"we need to push past that point and educate people as to what those alternatives are, and at the same time highlighting the other key aspects of implementing authentication technologies such as, lower deployment and management costs, the enhanced level of security the technologies provide, and better usability for end users."

Despite these obstacles, the growth potential for the multifactor authentication market is substantial. Biometric readers such as fingerprint verification are gaining traction. "Some specialty applications are also coming to the forefront. For example, the health care market is looking at noncontact devices to help ensure readers remain clean and germ free. This non-contact solution utilizes iris, palm vein or facial recognition level of authentication only," Focke said.

As an expert in physical and logical access integration, HID Global predicts the proliferation of contactless device-based authentication and embedded credentials. "I think we will see technologies that grew up in the consumer space around machine profiling and device forensics being used in the corporate sector, as the consumerization of IT takes a greater foothold. I also believe that an increase in the availability of NFC-enabled devices will open up options for contactless device-based authentication," Lovelock said. "We will see growth in embedded credentials, where endpoint devices like laptops, tablets and phones will be able to securely store, and make credential readily available for use."

Also, software-based authentication solutions are emerging fast. "Because many of today's emerging use cases (e.g., employees and customers requiring secure remote access) are not conducive to legacy hardware-based authentication solutions, we believe that there will be increased demand for flexible, adaptable software-based authentication solutions."

"With increasing concerns about security and with new regulatory requirements, authentication is a growing industry. This growth has resulted in the emergence of a range of authentication solutions, including hard tokens, smart cards, biometrics, SMS text to cell phones, among others, competing in the market place," Cardell said.