More than the football-shaped tokens to choose
Regulatory requirements are pushing strong authentication technologies into enterprises that, in the past, relied only on usernames and passwords. From educational institutions to law enforcement bodies, these new mandates often cause growing pains as a side effect of increased security.
Pivot Point Academy, a beauty school with locations in the Chicago area and member schools across the U.S., found itself in this situation when the U.S. Department of Education started requiring the school’s financial aid associates to use strong authentication to access financial aid web sites.
The Department of Education wants financial aid advisors at schools to use strong authentication so the agency knows who is accessing the different systems, says Phil Ascareggi, financial aid manager at Pivot Point Academy. These advisors can access a lot of personal data for students and the agency wants to keep track of who is accessing it.
While many programs leave it up to the organization to deploy the tokens, in this instance the Department of Education actually issued them for the institution, Ascareggi explains. Pivot Point ordered the tokens from the agency and then assigned each token to a financial aid representative. If the individual leaves, the token remains at the school as property of the Department of Education.
Previously, if an employee left the school they would still be able to access the sites with their user name and passwords. Even if the school notified the agency that the employee had left, there was still no guarantee that the access would be revoked.
Ascareggi has worked in financial aid at a number of schools over the years and he says identity management has always been a challenge. “I was gone from one school for three years and they hadn’t disabled my account,” he explains. This new solution is designed to make that simpler because the tokens will be reassigned.
Pivot Point’s fix was relatively simple thanks in part to the lack of choice, but for other enterprises it’s not always that way. Some have to figure out what type of solution and credential to deploy, and determine how it will work with current systems.
Such is the case in law enforcement, says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. The Justice Department is requiring law enforcement agencies to use strong authentication for access to the Criminal Justice Information Service databases, but the specifics are left up to the various agencies.
When an enterprise is looking to add strong authentication the conversation begins by looking at the infrastructure that’s deployed. “We want to get a sense of their environment,” Wizbowski says. “Is there any type of strong authentication in place? Where are the identities stored?”
Law enforcement agencies have typically gravitated to one-time passcodes. “OTP is the gateway drug of online authentication, easy and quick to deploy,” Wizbowski says.
Depending on the infrastructure that’s already in place, another solution could be a better fit, Wizbowski says. “Is it simple login or something broader?” he asks. “Will you want to add physical access and logical access? Where do you see this implementation in three to five years?”
Depending on the answers to those questions one-time passcode tokens might not be sufficient. Smart cards and mobile devices may be technologies that enterprises want to consider.
Additionally, OTP may not be the right solution for every user within an enterprise, explains Andrew Young, vice president of product management at SafeNet. He recommends looking at the use cases for users and then making a decision. “My system administrator might use smart cards to access routers and domain controllers, my general employee base use OTP for remote access and my sales staff use a soft token on a mobile to access cloud-based application,” he explains.