The Ins and Outs of Strong Authentication – What is Your Risk Posture?0
Let’s say you’re using Box to share sensitive files with people who aren’t your employees. Some examples could be contracts with your outside legal firm, product specifications with a supplier, or pricing plans with a distributor.
Using a cloud-based service like Box enables you to easily share and collaborate with business partners all over the world, without sending emails back and forth. However, while Box itself is very secure you’re still concerned about an outsider potentially hacking their way into your account, and exposing your corporate secrets. How do you continue to enjoy the benefits of cloud-based collaboration, without compromising security?
The answer is multi-factor authentication—using a 2nd factor to verify that the person trying to access your Box account is who they say they are.
What options are available to you? There are three basic categories of multi-factor authentication you can deploy: biometrics, hard token or soft token.
Biometrics represents the gold standard for user identification, since it’s based on a unique, physical attribute of the individual person. But, which attribute should you rely on? The choices include fingerprint/handprint, iris, facial or voice scans. While the technology has matured to the point where it’s very robust and delivers low false positive or negative rates, there are some issues to consider, such as cost, manageability and portability. The cost of the more sophisticated devices can be fairly high, in terms of acquisition, deployment and operations. How much will it cost you to acquire and distribute your scanner of choice for each person who needs one, especially if they are highly mobile (like sales people) or remotely located? How will you retrieve them if they are lost or broken? In our use case above, where you’re interacting with non-employees, is it even practicable for you to acquire and manage devices for people who aren’t your employees?
A hardware token has similar problems. The expense of purchasing, distributing and managing tokens can be high, especially for a mobile population. They tend to be fairly inflexible, since they were originally designed for controlling access to enterprise networks and applications. In fact, if you intend to use your multi-factor authentication solution for more than one application, you may face a situation where you’ll need to acquire a token for each app that you want to protect.
The soft token approach, such as delivering a one-time password (OTP) via a mobile phone, on the other hand, not only provides a level of protection similar to the other approaches, it lets you do so with greater convenience and at a lower cost. A OTP, delivered via a secure, out-of-channel second factor, delivers a high level of assurance that the person holding the phone is also the same person attempting to log onto your cloud application. If your users—including non-employees—use a phone, you eliminate the cost and management overhead of acquiring and distributing tokens. All they need to do is go to a web site you designate, download an app (for those who use a smart phone, such as iPhone or Android), and register their number. If they only have a plain cell phone, they can retrieve the OTP via an SMS text message, otherwise, they retrieve it via the app. If the user loses or changes their phone, all they have to do is go to the registration site and update their profile with a new phone number. If you no longer want that person to have access to your app, you simply delete their profile from your registration system, eliminating the phone’s authentication capability. Managing secure access for non-employees suddenly becomes easy and inexpensive.
Overall, using a soft token for multi-factor authentication provides a high level of assurance that only authorized people can access your sensitive cloud apps or data, without incurring high procurement or management costs.