Usernames and passwords are the first step in authenticating those who log on to your systems. However, sometimes you need stronger authentication—especially for remote users, or for highly sensitive data and files. Two-factor authentication requires users to provide two pieces of identifying information. Typical identification factors include something the user knows, such as the username/ID, password, or PIN; something the user has, such as a hardware/USB token or smart card; and something the user is, which includes physical characteristics such as finger/handprints, iris/retina identification, or voice pattern recognition.

Using multiple identification factors increases the security of your systems and prevents unauthorized users from gaining access to sensitive information. Numerous multifactor authentication solutions are available, in a variety of forms (hardware devices, software, or services).

Types of Solutions

Hardware solutions include keyfob tokens, USB tokens, and smart cards or magnetic cards. Many hardware solutions also require proprietary software to function. In addition, smart cards and magnetic cards can also require special card readers.

One-time password (OTP) solutions generate unique numeric passwords for one-time use. These solutions are typically distributed as keyfob tokens and don’t require client software or USB connectivity.

Soft OTP tokens provide the same functionality as OTP solutions, but the password is sent to or generated on a mobile device, such as an iPhone or BlackBerry. These solutions are cost effective because they don’t require actual hardware tokens—the mobile device is the token.

Although biometric authentication solutions still seem like something out of the future (think of the movie “Minority Report”), many authentication products do use biometrics. One of the most common types of biometric devices is a fingerprint scanner, found on many laptops. The benefit of physical identification is that it can’t be lost or stolen; however, these solutions can be quite costly and difficult to implement.

Considerations

In choosing a multifactor authentication solution, you need to consider how it integrates with the systems you already have in place. You should consider OS compatibility, application integration, and directory integration. In addition, you need to evaluate the product’s management features.

OS compatibility. Obviously your multifactor authentication solution needs to work with the OSs you’re running. But if you have legacy systems, or you’re running non-Windows OSs, you need to ensure that the solution you choose also works with those systems.

Application integration. Another consideration is how the solution integrates with your applications. Does it use Windows Graphical Identification and Authentication (GINA) logon for application authentication? Or does the product have a separate web service for integration with your applications?

Directory integration. An important factor is whether and how well a solution integrates with your existing directory technology. For example, does the solution integrate directly with Active Directory (AD) or other LDAP directories? Does it have its own directory, with no outside integration? Or does it have its own directory but can still read from a separate LDAP directory?

Management. How easy a product is to use can often be a driving force in making or breaking its adoption in an organization. Note whether the authentication solution you’re considering has integrated management software, or a web interface for user management—as well as how complicated these components are. Another important feature is whether the product has a password override feature, in case a user loses or forgets a token.

Limitations

Multifactor authentication solutions certainly won’t perform any security miracles, and in fact, they have some limitations. These solutions won’t work against man-in-the-middle attacks or trojans, because both of these attacks actually rely on users logging on. However, just because you can’t protect against everything doesn’t mean you shouldn’t protect against anything—and multifactor solutions do protect against illicit logons.

No Excuses

Strong authentication is necessary to ensure the security of your network and systems. User IDs and strong passwords are necessary, but they aren’t enough to really lock down your data. Multifactor authentication solutions are available in a variety of formats and at almost every price point—so if you need such a solution, there’s almost no excuse for not using one. Consult the accompanying buyer’s guide table for a list of two-factor authentication products.

[Editor's Note: Information in this buyer's guide comes from vendor representatives and resources and is meant to jump-start, not replace, your own research; also, some products might have been left out, either as an oversight or from lack of vendor response.]