Security Experts:

How to Choose an Authenticator. Or Two. Or Three.

When it Comes to Proving Users Are Who They Say They Are, There’s no Single Solution That Will Meet All Your Needs. 

As more organizations embrace alternatives to password-based authentication – including exploring authentication technologies that meet FIDO Alliance standards – now is the time to evaluate what methods of authentication will best serve your organization on the path to a passwordless future. There are a number of authenticators available now, and more on the way, thanks to constant innovation in the market. That’s good news if your organization, like many today, is seeing authentication requirements shift faster than ever. As the pace of change increases, there are more and more options to help your organization keep up or, even better, stay a step ahead. 

In today’s dynamic authentication environment, you not only have a lot of choices, but also a lot to think about. Push notifications, one-time passwords, SMS verification, biometrics and hardware tokens are just some of the types of authenticators available now. But no matter how many choices you have, one thing is certain: You’ll be best served by more than one. With the emergence of an increasingly dynamic workforce, there is no longer any single way to meet every user’s needs and achieve the optimum degree of security. To realize those goals, you need multiple approaches to authentication that work together. And to identify the most effective approaches for your organization, you need to consider three things: certainty, complexity and cost. 

1. Certainty: Who Do You Think They Are?

Certainty refers to the degree of confidence an organization can expect from its approach to authentication. How confident are you that those requesting access are who they claim to be? How confident do you need to be, for that matter? If you’re protecting high-value data – customers’ personal information, for example, or your company’s intellectual property – it’s important to be as certain as possible that users requesting access are who they claim to be. But how do you achieve the level of certainty you need? Different methods offer different levels of assurance, and they can be layered on each other to build the desired degree of certainty. For example, a four-digit PIN offers a relatively low level of certainty, but when combined with another method – say, a hardware token – the combined strength increases the level of certainty. 

The ability to layer methods of authentication makes it possible to tailor your authentication approach to different circumstances. If, for example, a user is asking a bank to grant digital access to initiate a funds transfer, that scenario demands the highest degree of certainty – higher than if the user is checking on the status of a previously executed transfer. Similarly, if someone is placing an order online and paying for it, that requires more certainty than if someone is simply tracking delivery status after placing the order. Having multiple ways to authenticate provides the flexibility to address multiple use cases as well as multiple sets of user circumstances. Multi-factor authentication is typically defined as a combination of something a user has (like a hardware token), something they know (a password or PIN) and something they are (a fingerprint or face). 

Complexity: What’s a Lot to Ask?

If certainty were the only consideration, choosing authentication solutions would be simple: Just do everything possible to ensure that users are who they say they are. But it’s not the only consideration. Organizations must also think about what they can reasonably expect from users based on their work environments, roles and responsibilities. Keep in mind that an authenticator that provides the maximum degree of certainty, but is too impractical to use, is ultimately of little or no value. For example, biometrics may confirm a user’s identity with a high degree of certainty – but not in cases where most users work in an environment that makes it difficult or impossible to use fingerprint or facial recognition, such as a sterile lab where everyone works in a mask and gloves. 

Certainty and complexity must be considered together, and their effect on each other taken into account, to make sound choices. If a particular type of authentication works for most users, but sacrifices more certainty than you’re comfortable with, it may be necessary to rethink the choice. Maybe that authenticator is rolled out to one set of users, but not another. Or maybe it’s used in conjunction with other authenticators. For example, someone may be able to guess “something you know,” like a four-digit PIN, or to steal “something you have,” like a credit card or hardware device. But if they’re layered to be used in combination with each other, the approach becomes exponentially more secure. What’s critical is that your decisions are informed by careful, thoughtful deliberation, with an emphasis on shifting the burden of secure authentication away from users by putting security controls on the back end, where they belong.

2. Cost: How Much Is too Much?  

Cost should always be a consideration for authenticators, but it should never be the only consideration. Like certainty and complexity, cost is not always a straightforward calculation. It’s not just about what you pay for a method of authentication; it’s about what you pay to distribute that method to users and what you pay to support it once it’s in their hands. Passwords and PINs are “free” to obtain and distribute but can be expensive to support when you consider the cost of the infrastructure to support users losing, changing and otherwise maintaining passwords and PINs. On the other hand, there is a cost to acquire devices like keys or tokens, but they generally cost less to support because they don’t require ongoing maintenance – although, of course, there’s the cost incurred for a lost device. Distribution of devices can be costly in certain circumstances, such as when an organization with a large workforce distributed across multiple locations must pay to ship them to users. The cost of mobile-based authentication, too, can range from very little to quite a lot, depending on how much support users require for downloading new apps, configuring software or setting up a biometrics-based method. The bottom-line on cost is, just as with the other considerations discussed here, you have to think carefully about the level of security you need and the impact your will have on users. 

As you think about authenticator choices, you’ll want to consider which will provide the security your organization requires while still addressing user needs – and at what price. Always look at how your choices work together and whether they enable you to strike the right balance of certainty, complexity and cost for your organization. 

view counter
Jim Ducharme is Vice President of Identity Products at RSA. He is responsible for product strategy and leads the associated product management and engineering teams. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.