Almost every day, I wake up to some news update about yet another data breach, or who is most at risk of cyber attack today. With even the Healthcare industry being targeted, evidenced in the Anthem healthcare customer data breach and the cost per healthcare record stolen in the 2014 data breach, researching alternate methods on how to better secure confidential data becomes top priority. One of the most popular answers to this problem, thanks to compliance requirements, is two-factor authentication (2FA).
What those individuals who are exposed to this type of news don’t always take into consideration, however, are the various compliance standards that many businesses fail to deliver upon.
Security standards are constantly changing in an attempt to keep pace with the new data breaches and digital threats. One new regulation that has really taken a toll on businesses ties into the PCI DSS (Payment Card Industry Data Security Standard) compliance requirements. Internal login systems for businesses and organizations that handle customer card information can no longer be secured by simply a standard password by itself; 2FA is now a compliance required necessity.
Now for the Headache
There are many ways to achieve a login with enhanced 2FA security. Whether it’s the use of a plastic hardware token or via SMS, adding additional factors to the login process is a growing concern for the workforce. The idea is nothing new, and the implementation of such technology has proven to be complicated over the years. With the 2FA requirements set by the PCI DSS, authentication has become an even greater barrier to overcome for both attackers and owners alike. It’s a great thing that hackers are having difficulty navigating their way, but individual businesses and owners don’t have to have the same troubles!
So..What is Tokenless 2FA?
The simplicity surrounding tokenless 2FA is derived from what IT professionals know as multi-factor authentication: you must know something, you must own something, or you must have some biometric characteristic. Seeing as biometrics are associated with high costs, the most favored methods for achieving multi-factor authentication are a combination of something you know (a unique username and password) and something you own (a mobile phone or laptop). In a nutshell: use your own device instead of a physical, plastic, hardware token.
3 Reasons to Adopt Tokenless 2FA
For small and medium-sized businesses, hardware tokens can be very costly. This is a huge contributing factor when it comes down to businesses actually becoming pervasive with PCI standards. Organizations like Dundee City Council have avoided theses costs by utilizing a product that enables employees to leverage their mobile phones with an authentication code.
As with other technological revolutions, the migration from token, to tokenless technology is a matter of efficiency. Consider the adoption of DVD’s and Blu-Ray disks. Both have significant benefits over VHS tapes. Now consider the era of digital downloads where you can purchase those same moves directly from stores like Microsoft, Sony, or Google. The emphasis is on ease of access and simplicity of use. By leveraging a personal device, such as your desktop computer, tablet, or mobile phone to generate a secure login, the use of a key-ring token or other small device has gone the way of VHS and DVD: somewhat clunky and unnecessary.
Referring back to the recent data breaches, there is bound to be some sort of hesitation regarding the overall security of tokenless 2FA. Is it really all that secure? This question is usually targeted towards SMS delivery. SMS authentication is used around the globe today by numerous businesses. Due to concerns with compromised 3G and 4G connections or lack of cellular reception all together, many businesses are still not convinced that SMS is right for them
There are still other options! Whether you run a business on a VPN or through web-based HTTP Authentication, end users are still able to leverage other devices. PassiveKey provides a simple, secure 2FA solution by leveraging the-end user’s personal device—such as a laptop. This solution generates and sends a Time-based One-time Password (TOTP) via HotKey combination. All this is done by utilizing a shared secret between the device and the PortalGuard server.
Choose one that works for you
Every environment is different. What works for a major corporation with money to burn might not work for the small convenience store down the street. With security, it is important to find a solution that works for you, not against you, and takes your own budget into consideration. Always remember that failing to secure your company and customer information will always cost more in the end than implementing a fiscally sensible 2FA solution from the beginning.
Well, before you receive a Notice of Non-Compliance with PCI Data Security Standard, it’s time to take cost burden and hassle out of the picture. Forget about costly key fobs, additional programming and having decent cell reception. Turn your authentication problems into a simple, cost effective solution with tokenless 2FA.