Three factors that are used when trying to authenticate an individual include the following:
What you know, such as requiring a password and or the answer to a secure question
What you have, such as a secure token.
What you are, typically a biometric feature such as facial recognition or eye scan.
These factors are typically used in conjunction for multi-factor authentication in the event that one (or more) of these factors is compromised. Even with multifactor authentication, it is still not 100% secure as these methods are still susceptible to trojan horse attacks (compromising the user’s computer) or man in the middle attacks utilizing a fake website between the end user and the “real” website or application the user is trying to access.
The three factors of authentication are:
Something you know (knowledge): password or PIN
Something you have (possession): credit card number, RSA token, ID card
Something you are (inherence): any biometric method like a fingerprint, voiceprint, iris scan, hand geometry
It would be more secure if they use at least two of the authentications. It can let hacker more difficult to enter the system with unauthorized access. However, multi-factor authentication is not unhackable. It cannot prevent phishing and social engineering.
The three factors referenced in the book are something you know, something you have, and something you are. I’d argue those aren’t the only three factors, however. For example, location or “somewhere you are” is often used is a factor. In this case, a user might be able to login to his/her corporate account only when their phone GPS has them placed in the vicinity of the office.
NIST SP 800-63-3 outlines Digital Identity Guidelines to assist with implementing digital authentication in three key areas: identity proofing, authentication, and federation. Which of these three key areas do you think would be the most difficult to evaluate and implement the necessary level of assurance?
Great questin Megan. I think that the third level is most difficult to both implement and evaluate since you would have to add additional security controls such as multi-factor authentication instead of just a password in the first level. I also think that would require more technology and more expenses such as requiring a biometric fingerprint scanner upon login.
All of us had to use the two-factor authentication in order to log in to a personal account (bank, Facebook, LinkedIn, etc). What accounts would be suitable to utilize the multifactor authentication for proper security purposes?
Two-factor authentication is a type of multi-factor authentication. For most of the business, it should need two-factor authentication. The question you are asking I believe is what industry will need to use more than 2-factor authentication. I believe the government’s top-secret department or the Department of Defense definitely needs that authentication because it is extremely dangerous if the hackers get access to their system. Also, the financial industry and data center might need multi-factor authentication to protect their clients’ information.
I actually haven’t come across a personal account of mine that allows the use of more than two factors. Usually, I can use more than two kinds of factors, but only have to present two to log in. One of my big concerns is that only single-factor authentication is in place at my bank and still haven’t allowed the use of multi-factor authentication. To answer your question, things like bank accounts, IRS account, etc. are good candidates for multi-factor authentication. In those situations, there’s usually a higher burden to prove your identity upfront and those accounts have major implications on your life. If someone gets into my Twitter account, it’s not that big of a deal outside of their ability to now phish people that I know.
Hi Christopher,
While I think multifactor authentication will eventually become the norm, I definitely think there are priorities when considering when to implement multifactor authentication such as the sensitivity of the information and what impact would it have if this information was compromised. In addition to what has been stated, I think hospitals and health care providers should use multifactor authentication due to data privacy and compliance laws, protected health information, and HIPPA requirements. Airlines and other transportation authorities to safeguard safeguard flight plans, routes, and other information that could be utilized in a terrorist attack, and nuclear power plants, which could have a devastating impact if information fell into the wrong hands.
Boyle Chapter 5 mentions that eventually passwords could be phased out in the near future as a security measure. What are the alternative measures that can be used and which one do you think is the most effective?
Multifactor authentication in conjunction with behavior-based authentication will become more widespread. I see machine learning will be utilized more in identifying and protecting legitimate attempts vs. illegitimate attempts.
Multifactor authentication, biometric authentication, vpn access are few alternatives to passwords that I currently see being used today. In most cases, these methods are easier to use and preferred to passwords.
The use of the fingerprint as an alternative to the password has increased dramatically in recent years. Traditional fingerprint sensors were relatively expensive and very heavy. Now they are small enough to incorporate into smartphones and tablets, hidden in any button, and fast enough to check fingerprints in less than a second.
Hi To-Yin, I would recommend face recognition due to improved security and the fact that it reduces the cost of hiring security personnel. It also has a high accuracy rate in facial technologies due to infrared light cameras and 3D settings that makes it very difficult for any intruder to trick the system.
Another biometric authentication that could be used is iris recognition, this works by verifying the pattern in the colored part of eye by way of a camera. While it has been dubbed the most precise form of biometric authentication with very low false acceptance rates, it comes with a hefty price tag. It would perhaps be more suited to larger companies with a mature security posture and the wherewithal to implement this type of biometric authentication.
Facial recognition, voice recognition, iris recognition, retina scan are all alternatives to fingerprint. I think orginzations should make more than one form of biometric avialable to address any accessability issue.
What’s popular with new smart phones nowadays are facial recognition which have proven to work well for the most part and is very common in today’s world. Another biometric authentification could be eye (iris) recognition, however, this would require a very high-tech scan of the eye. There is also voice recognition, DNA match, finger geometry, hand geometry, and typing recognition.
The main alternatives to fingerprint I’d recommend are face recognition and the voice recognition. While voice recognition might be the more difficult and costly option, it is a good alternative to fingerprint and I’ve seen companies doing this already.
It is quite an interesting question. The phone calls to the help desk would consider the to answer the questions you know are, like your name, address, or even social security number to verify your information. I believe the help desk is more secured by verify your information first and then sent out the reset link or temporary password to the user’s email address (something you know). Users need to reset a new password once they received that email. It would consider two-factor authentication. If resetting the password by an automated system, it only needs to send out the reset email or text message with a PIN. It is less secured compare to call the help desk.
phone calls alone are not enough. Anyone can pretend to be anyone. It is a prime target for social engineering. Password reset policy should be established to eliminate the possibility for social engineering, therefore there should be at least one additional form of identification in addition to the phone calls for any password reset process.
Definitely automated system because the help desk would mean dealing with real people that may have malicious intent. For example, calling help desk to request a password reset will notify the help desk rep that the employee has forgotten his or her password. This could give them the opportunity to use their access power to pretend to be the user and reset the password to be something of their choosing to perform unauthorized access. An automated system would also minimize the risk of human error, is more accurate, and more efficient in that there is not wait time when calling help desk. The service with automated system is instant.
Given that passwords reset via the helpdesk are costly to a company, one maybe inclined to go with the automated system. However, the latter is a security risk as users could easily share their authentication questions/answers used to reset password or the password itself, be it intentionally or accidentally, making that approach the weaker of the two. Considering this tradeoff between cost and risk, the helpdesk desk option would be the optimal choice for password resets. Of course, this wouldn’t a mere call to reset passwords, but would involve authenticating the user and securing the line with an access code sent to the user via mobile/email. The last thing an organization would want is to save a few hundred thousand in helpdesk cost, only to wind up with a data breach due to password compromise that causes them million of dollars.
Unfortunately, I don’t think there is a way to completely eliminate the need for help desk representatives in relation to password resets. Regardless of how complex an automated system is, there will situations where the legitimate accountholder is not able to complete a password reset using the system, and escalation to a human being would be necessary. This means malicious social engineering will always be a risk in the enterprise environment, and effective help desk training and thorough policies are needed to mitigate that risk.
Organizations can reduce the password reuse problem by requiring passwords to be changed every 90 days and implementing a policy standard that requires the new password to be different than the previous 24 passwords. This way, employees aren’t able to keep using the same password across all accounts or go back to their old passwords the next time.
Organizations can help reduce employees from reusing passwords by purchasing an enterprise password management system that will allow the employees to easily create and store long complex passwords. A benefit of a password manager is that employees do not have to try and memorize or store passwords in a unsecure location (writing it down, or using an excel spreadsheet). A lot of password management systems have the ability of using multifactor authentication to help secure each individuals password vault. This system could also be used in conjunction with policies of having to reset passwords after a certain amount of time has passed or how complex the passwords need to be.
Password policies should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time.
Organizations can only do so much in regards to reusing passwords. For example, if you only change the special character in your password, but not anything else, that will still satisfy the requirement of a “unique” password, but is still not secure. User education is the best way to combat this. Users should learn about the dangers around reusing insecure passwords, as technical controls can only help so much.
Organizations are starting to make two-factor authentication a standard. Usually one of the factors is the password. however, as we all aware, the password is no longer effective and at some point in the future, it will become a thing of the past. With the different factors of authentication mentioned in the text, what would be a good combination of authentication methods replacing passwords?
A good combination of authentication methods that could replace passwords are access cards & biometrics (iris scanner, fingerprint, facial recognition, etc.). This represents something a user has and something a user is, respectively, and therefore a feasible alternative for replacing passwords.
I think a combination of a biometric scan, either fingerprint or facial recognition, and a smartcard that must be renewed periodically, would eventually catch on as a way to avoid passwords. I think the primary reason why this hasn’t happened yet is the cost to implement biometric measurement tools across the board in an enterprise environment. Fingerprint scanners on all laptops and desktops would be expensive, but perhaps as that technology becomes cheaper, or facial recognition becomes the norm on all workstations, biometrics as an authentication factor will become more popular. Forcing smartcards to be renewed periodically would be similar to forced password changes, but would reduce the memory burden on end users, and could be more secure (for example, new smart cards would be delivered by mail or the users would have to check in for their new card in-person).
Most companies today are switching to two-factor authentification, do you think there will ever be a need for companies to switch to three or four-factor authentication, or is that overkill?
Good question! I think as technology advances, we always outgrow the current phenomenon so to speak. We are currently seeing a trend from passwords to multi-factor authentication. I think there could come a time where there will be a shift to three or four – factor authentication or even something completely different.
I think eventually that 3 or 4-factor authentication will become the norm. Just a few years ago, two-factor authentication was not widely used, but now it is. Since then, cybercriminals have discovered ways to disrupt this process. I think biometrics will start to play a bigger role in the authentication process in people’s everyday lives. Hackers get smarter every day, so it is only a matter of time before 3 factor will become the norm.
What would be some of the reasons why an entity would need to renew its digital identity? Do digital identities expire, if so, what is the usual validation term for a digital identity?
That is a good question and I think it really depends on the industry. I would be willing to sacrifice convenience by having additional authentication measures in place for financial, healthcare, any industry that may contain sensitive information to help mitigate the potential of unauthorized access.
My personal preference would be multi-factor authentication via something I have (my phone, for example) and something I am (fingerprint scan). My organization uses a password and phone combination, but I’d prefer to cut out the password and simply scan my fingerprint alongside the phone authentication. This would be costly and difficult to implement enterprise-wide, so I understand why this isn’t the case in most organizations.
Personally, I have started to shift my mindset around authentication. Before, I found it annoying that I needed unique passwords for every website and needed to turn on 2fa. But this program has really opened my eyes to the amount of threats that I am vulnerable to without these protections. I do think at a certain point, you can take authentication precautions too far, but now I ensure passwords to sensitive things I access online (online banking etc.) are extremely secure
Why don’t all organizations implement three-factor authentication for systems access? What are the costs and benefits of increasing the steps required to authenticate to an information system?
this is an interesting question. I would think that the reason why companies do not implement 3FA is because of the non-techy employees who would have problems signing in everyday. I think that calls to the helpdesk would increase as users do not want to bothered by the complication of signing into the system. Increased calls could mean increased hires on the support team to help these users.
Does your company have a retention policy? Do you think your company follows it? Do you think that some documentation has been kept past the retention, if so why do you think it was kept?
Hi Michael,
I always love a records question!
My organization has a national records retention manual with retention requirements by category. Each district (12 in all) should follow this retention guidance and only in rare circumstances should they deviate from this guidance and with the appropriate approval from senior management and our legal department. For the most part. I believe people follow guidelines for storing information in our official repositories and the shared drives. We have implemented a standard naming convention for our folders which includes the retention requirements in the name, i.e. “Audit Files close + 7 years”. which makes it easy when we perform our annual clean-up. In addition, we raise awareness through Records and Information management month in April. Some obstacles we face in this space include people being afraid to delete information, not recognizing the importance of maintaining up to date files, and some folks do not make records management a priority. The pandemic has made it challenging to comply with the destruction of physical records that are stored onsite, when we have been working remotely for almost a year.
What are the three steps of the identity proofing and enrollment process flow? Is one single organization expected to deliver each step of the process?
The one drawback of using two factor authentications is time. It takes time to set up and extra time to login. Also, if attackers cannot access to the account without second factor, account owner won’t be able to either. They may be unable to recovery second factor if their security key, or the phone with authenticator app, is lost, stolen, or broken.
A drawback on using two factor authentication for an organization is usually they require some service or device from a third party. If this third party is having technical issues that could impact employees from being able to authenticate and gain access to the resources they need.
While the 2-factor authentication is obviously more successful in preventing unauthorized entry than single-factor, the downside is that it is not completely secure. The strength and complexity of protection will depend on what type of factor you use. Also, hackers can bypass it by being in possession of a factor of authentication, or they brute force their way in.
Nicholas Fabrizio says
What are the three factors used when trying to authenticate an individual and provide an example for each factor?
Christa Giordano says
Hi Nicholas,
Three factors that are used when trying to authenticate an individual include the following:
What you know, such as requiring a password and or the answer to a secure question
What you have, such as a secure token.
What you are, typically a biometric feature such as facial recognition or eye scan.
These factors are typically used in conjunction for multi-factor authentication in the event that one (or more) of these factors is compromised. Even with multifactor authentication, it is still not 100% secure as these methods are still susceptible to trojan horse attacks (compromising the user’s computer) or man in the middle attacks utilizing a fake website between the end user and the “real” website or application the user is trying to access.
To-Yin Cheng says
The three factors of authentication are:
Something you know (knowledge): password or PIN
Something you have (possession): credit card number, RSA token, ID card
Something you are (inherence): any biometric method like a fingerprint, voiceprint, iris scan, hand geometry
It would be more secure if they use at least two of the authentications. It can let hacker more difficult to enter the system with unauthorized access. However, multi-factor authentication is not unhackable. It cannot prevent phishing and social engineering.
Jonathan Mettus says
The three factors referenced in the book are something you know, something you have, and something you are. I’d argue those aren’t the only three factors, however. For example, location or “somewhere you are” is often used is a factor. In this case, a user might be able to login to his/her corporate account only when their phone GPS has them placed in the vicinity of the office.
Megan Hall says
NIST SP 800-63-3 outlines Digital Identity Guidelines to assist with implementing digital authentication in three key areas: identity proofing, authentication, and federation. Which of these three key areas do you think would be the most difficult to evaluate and implement the necessary level of assurance?
Elias Harake says
Great questin Megan. I think that the third level is most difficult to both implement and evaluate since you would have to add additional security controls such as multi-factor authentication instead of just a password in the first level. I also think that would require more technology and more expenses such as requiring a biometric fingerprint scanner upon login.
Christopher Clayton says
All of us had to use the two-factor authentication in order to log in to a personal account (bank, Facebook, LinkedIn, etc). What accounts would be suitable to utilize the multifactor authentication for proper security purposes?
To-Yin Cheng says
Two-factor authentication is a type of multi-factor authentication. For most of the business, it should need two-factor authentication. The question you are asking I believe is what industry will need to use more than 2-factor authentication. I believe the government’s top-secret department or the Department of Defense definitely needs that authentication because it is extremely dangerous if the hackers get access to their system. Also, the financial industry and data center might need multi-factor authentication to protect their clients’ information.
Christopher Clayton says
Yes, I meant to clarify what type of organization or industry applies the multifactor for security benefits.
Jonathan Mettus says
I actually haven’t come across a personal account of mine that allows the use of more than two factors. Usually, I can use more than two kinds of factors, but only have to present two to log in. One of my big concerns is that only single-factor authentication is in place at my bank and still haven’t allowed the use of multi-factor authentication. To answer your question, things like bank accounts, IRS account, etc. are good candidates for multi-factor authentication. In those situations, there’s usually a higher burden to prove your identity upfront and those accounts have major implications on your life. If someone gets into my Twitter account, it’s not that big of a deal outside of their ability to now phish people that I know.
Christa Giordano says
Hi Christopher,
While I think multifactor authentication will eventually become the norm, I definitely think there are priorities when considering when to implement multifactor authentication such as the sensitivity of the information and what impact would it have if this information was compromised. In addition to what has been stated, I think hospitals and health care providers should use multifactor authentication due to data privacy and compliance laws, protected health information, and HIPPA requirements. Airlines and other transportation authorities to safeguard safeguard flight plans, routes, and other information that could be utilized in a terrorist attack, and nuclear power plants, which could have a devastating impact if information fell into the wrong hands.
Christa Giordano says
Boyle Chapter 5 mentions that eventually passwords could be phased out in the near future as a security measure. What are the alternative measures that can be used and which one do you think is the most effective?
Xiduo Liu says
Multifactor authentication in conjunction with behavior-based authentication will become more widespread. I see machine learning will be utilized more in identifying and protecting legitimate attempts vs. illegitimate attempts.
Ashleigh Williams says
Multifactor authentication, biometric authentication, vpn access are few alternatives to passwords that I currently see being used today. In most cases, these methods are easier to use and preferred to passwords.
Wei Liu says
The use of the fingerprint as an alternative to the password has increased dramatically in recent years. Traditional fingerprint sensors were relatively expensive and very heavy. Now they are small enough to incorporate into smartphones and tablets, hidden in any button, and fast enough to check fingerprints in less than a second.
To-Yin Cheng says
Since fingerprint authentication might not work for all individuals. What other biometric authentication would you recommend?
Christopher Clayton says
Hi To-Yin, I would recommend face recognition due to improved security and the fact that it reduces the cost of hiring security personnel. It also has a high accuracy rate in facial technologies due to infrared light cameras and 3D settings that makes it very difficult for any intruder to trick the system.
Lakshmi Surujnauth says
Hi To-Yin,
Another biometric authentication that could be used is iris recognition, this works by verifying the pattern in the colored part of eye by way of a camera. While it has been dubbed the most precise form of biometric authentication with very low false acceptance rates, it comes with a hefty price tag. It would perhaps be more suited to larger companies with a mature security posture and the wherewithal to implement this type of biometric authentication.
Xiduo Liu says
Facial recognition, voice recognition, iris recognition, retina scan are all alternatives to fingerprint. I think orginzations should make more than one form of biometric avialable to address any accessability issue.
Quynh Nguyen says
What’s popular with new smart phones nowadays are facial recognition which have proven to work well for the most part and is very common in today’s world. Another biometric authentification could be eye (iris) recognition, however, this would require a very high-tech scan of the eye. There is also voice recognition, DNA match, finger geometry, hand geometry, and typing recognition.
Ashleigh Williams says
The main alternatives to fingerprint I’d recommend are face recognition and the voice recognition. While voice recognition might be the more difficult and costly option, it is a good alternative to fingerprint and I’ve seen companies doing this already.
Jonathan Mettus says
Which is a more secure way to handle password resets: phone calls to the help desk or an automated system?
To-Yin Cheng says
It is quite an interesting question. The phone calls to the help desk would consider the to answer the questions you know are, like your name, address, or even social security number to verify your information. I believe the help desk is more secured by verify your information first and then sent out the reset link or temporary password to the user’s email address (something you know). Users need to reset a new password once they received that email. It would consider two-factor authentication. If resetting the password by an automated system, it only needs to send out the reset email or text message with a PIN. It is less secured compare to call the help desk.
Xiduo Liu says
phone calls alone are not enough. Anyone can pretend to be anyone. It is a prime target for social engineering. Password reset policy should be established to eliminate the possibility for social engineering, therefore there should be at least one additional form of identification in addition to the phone calls for any password reset process.
Quynh Nguyen says
Definitely automated system because the help desk would mean dealing with real people that may have malicious intent. For example, calling help desk to request a password reset will notify the help desk rep that the employee has forgotten his or her password. This could give them the opportunity to use their access power to pretend to be the user and reset the password to be something of their choosing to perform unauthorized access. An automated system would also minimize the risk of human error, is more accurate, and more efficient in that there is not wait time when calling help desk. The service with automated system is instant.
Lakshmi Surujnauth says
Given that passwords reset via the helpdesk are costly to a company, one maybe inclined to go with the automated system. However, the latter is a security risk as users could easily share their authentication questions/answers used to reset password or the password itself, be it intentionally or accidentally, making that approach the weaker of the two. Considering this tradeoff between cost and risk, the helpdesk desk option would be the optimal choice for password resets. Of course, this wouldn’t a mere call to reset passwords, but would involve authenticating the user and securing the line with an access code sent to the user via mobile/email. The last thing an organization would want is to save a few hundred thousand in helpdesk cost, only to wind up with a data breach due to password compromise that causes them million of dollars.
Mitchell Dulaney says
Unfortunately, I don’t think there is a way to completely eliminate the need for help desk representatives in relation to password resets. Regardless of how complex an automated system is, there will situations where the legitimate accountholder is not able to complete a password reset using the system, and escalation to a human being would be necessary. This means malicious social engineering will always be a risk in the enterprise environment, and effective help desk training and thorough policies are needed to mitigate that risk.
Lakshmi Surujnauth says
how can an organization stem the password reuse phenomenon?
Quynh Nguyen says
Organizations can reduce the password reuse problem by requiring passwords to be changed every 90 days and implementing a policy standard that requires the new password to be different than the previous 24 passwords. This way, employees aren’t able to keep using the same password across all accounts or go back to their old passwords the next time.
Nicholas Fabrizio says
Organizations can help reduce employees from reusing passwords by purchasing an enterprise password management system that will allow the employees to easily create and store long complex passwords. A benefit of a password manager is that employees do not have to try and memorize or store passwords in a unsecure location (writing it down, or using an excel spreadsheet). A lot of password management systems have the ability of using multifactor authentication to help secure each individuals password vault. This system could also be used in conjunction with policies of having to reset passwords after a certain amount of time has passed or how complex the passwords need to be.
Wei Liu says
Password policies should require the frequent changing of passwords. User passwords should be changed perhaps every 90 days. This way, if an attacker learns a password, he or she will only be able to use it for a limited time.
Charlie Corrao says
Organizations can only do so much in regards to reusing passwords. For example, if you only change the special character in your password, but not anything else, that will still satisfy the requirement of a “unique” password, but is still not secure. User education is the best way to combat this. Users should learn about the dangers around reusing insecure passwords, as technical controls can only help so much.
Xiduo Liu says
Organizations are starting to make two-factor authentication a standard. Usually one of the factors is the password. however, as we all aware, the password is no longer effective and at some point in the future, it will become a thing of the past. With the different factors of authentication mentioned in the text, what would be a good combination of authentication methods replacing passwords?
Lakshmi Surujnauth says
Hi Xiduo,
A good combination of authentication methods that could replace passwords are access cards & biometrics (iris scanner, fingerprint, facial recognition, etc.). This represents something a user has and something a user is, respectively, and therefore a feasible alternative for replacing passwords.
Mitchell Dulaney says
I think a combination of a biometric scan, either fingerprint or facial recognition, and a smartcard that must be renewed periodically, would eventually catch on as a way to avoid passwords. I think the primary reason why this hasn’t happened yet is the cost to implement biometric measurement tools across the board in an enterprise environment. Fingerprint scanners on all laptops and desktops would be expensive, but perhaps as that technology becomes cheaper, or facial recognition becomes the norm on all workstations, biometrics as an authentication factor will become more popular. Forcing smartcards to be renewed periodically would be similar to forced password changes, but would reduce the memory burden on end users, and could be more secure (for example, new smart cards would be delivered by mail or the users would have to check in for their new card in-person).
Wei Liu says
Can you think of some situations where mandatory and discretionary access control might fail?
Quynh Nguyen says
Most companies today are switching to two-factor authentification, do you think there will ever be a need for companies to switch to three or four-factor authentication, or is that overkill?
Ashleigh Williams says
Good question! I think as technology advances, we always outgrow the current phenomenon so to speak. We are currently seeing a trend from passwords to multi-factor authentication. I think there could come a time where there will be a shift to three or four – factor authentication or even something completely different.
Charlie Corrao says
I think eventually that 3 or 4-factor authentication will become the norm. Just a few years ago, two-factor authentication was not widely used, but now it is. Since then, cybercriminals have discovered ways to disrupt this process. I think biometrics will start to play a bigger role in the authentication process in people’s everyday lives. Hackers get smarter every day, so it is only a matter of time before 3 factor will become the norm.
Elias Harake says
What would be some of the reasons why an entity would need to renew its digital identity? Do digital identities expire, if so, what is the usual validation term for a digital identity?
Panayiotis Laskaridis says
What is your personal preference for authentication? How much convenience are you willing to sacrifice in the name of authentication?
Nicholas Fabrizio says
That is a good question and I think it really depends on the industry. I would be willing to sacrifice convenience by having additional authentication measures in place for financial, healthcare, any industry that may contain sensitive information to help mitigate the potential of unauthorized access.
Mitchell Dulaney says
My personal preference would be multi-factor authentication via something I have (my phone, for example) and something I am (fingerprint scan). My organization uses a password and phone combination, but I’d prefer to cut out the password and simply scan my fingerprint alongside the phone authentication. This would be costly and difficult to implement enterprise-wide, so I understand why this isn’t the case in most organizations.
Charlie Corrao says
Personally, I have started to shift my mindset around authentication. Before, I found it annoying that I needed unique passwords for every website and needed to turn on 2fa. But this program has really opened my eyes to the amount of threats that I am vulnerable to without these protections. I do think at a certain point, you can take authentication precautions too far, but now I ensure passwords to sensitive things I access online (online banking etc.) are extremely secure
Mitchell Dulaney says
Why don’t all organizations implement three-factor authentication for systems access? What are the costs and benefits of increasing the steps required to authenticate to an information system?
Michael Doherty says
this is an interesting question. I would think that the reason why companies do not implement 3FA is because of the non-techy employees who would have problems signing in everyday. I think that calls to the helpdesk would increase as users do not want to bothered by the complication of signing into the system. Increased calls could mean increased hires on the support team to help these users.
Michael Doherty says
Does your company have a retention policy? Do you think your company follows it? Do you think that some documentation has been kept past the retention, if so why do you think it was kept?
Christa Giordano says
Hi Michael,
I always love a records question!
My organization has a national records retention manual with retention requirements by category. Each district (12 in all) should follow this retention guidance and only in rare circumstances should they deviate from this guidance and with the appropriate approval from senior management and our legal department. For the most part. I believe people follow guidelines for storing information in our official repositories and the shared drives. We have implemented a standard naming convention for our folders which includes the retention requirements in the name, i.e. “Audit Files close + 7 years”. which makes it easy when we perform our annual clean-up. In addition, we raise awareness through Records and Information management month in April. Some obstacles we face in this space include people being afraid to delete information, not recognizing the importance of maintaining up to date files, and some folks do not make records management a priority. The pandemic has made it challenging to comply with the destruction of physical records that are stored onsite, when we have been working remotely for almost a year.
Ashleigh Williams says
What are the three steps of the identity proofing and enrollment process flow? Is one single organization expected to deliver each step of the process?
Charlie Corrao says
Are there any downsides to using two factor authentication? What are some potential risks?
Wei Liu says
The one drawback of using two factor authentications is time. It takes time to set up and extra time to login. Also, if attackers cannot access to the account without second factor, account owner won’t be able to either. They may be unable to recovery second factor if their security key, or the phone with authenticator app, is lost, stolen, or broken.
Nicholas Fabrizio says
A drawback on using two factor authentication for an organization is usually they require some service or device from a third party. If this third party is having technical issues that could impact employees from being able to authenticate and gain access to the resources they need.
Christopher Clayton says
While the 2-factor authentication is obviously more successful in preventing unauthorized entry than single-factor, the downside is that it is not completely secure. The strength and complexity of protection will depend on what type of factor you use. Also, hackers can bypass it by being in possession of a factor of authentication, or they brute force their way in.
Christopher Clayton says
This is a response to Charlie Corrao’s question.