Back in the day, when I was the product line director for RSA SecurID, the dream was pretty simple: “a token in every pocket.” (A natural corollary to this dream, of course, was “death to passwords.”)
By “token,” of course, we meant a small, specialized hardware device – in the abstract, comprised of a processor, a power source, a time source, a display, an algorithm for generating pseudo-random numbers, and a unique “seed record” for that particular device / user.
The sole purpose of these tokens was (and remains, to this day) to generate one-time passwords, which is a classic example of two-factor authentication. This is a combination of something you know (a PIN) with something you have (the hardware token, which generates a new 6-digit tokencode, every 60 seconds).
The combination of PIN plus tokencode creates a unique password for that user – and a minute later, their password is different (the other classic example of two-factor authentication is your ATM card: something you know, plus something you have, to gain access to your bank accounts).
A token not in every pocket
The only problem with this BHAG was that for most organizations, a token in every pocket wasn’t justifiable. In the simplest sense, security solutions have always involved a trade-off between risk, convenience, and total cost – and for one-time passwords based on hardware tokens, the security benefits of deploying a token in every pocket was generally outweighed by considerations of cost and convenience. At the time, my own analysis showed that RSA SecurID customers actually deployed tokens to about 20% of their user base, which at that time was almost 100% their own employees.
Try as we might – and believe me, we tried in a number of creative and innovative ways – moving the proverbial dial significantly north of that 20% of all users mark was incredibly difficult. Sadly, the other 80% of those end-user pockets remained empty.
The case for stronger authentication
Fast-forward to present day, and the context for this vision has definitely changed. For the modern enterprise, several trends make stronger authentication (by which I mean stronger than passwords) of an expanded user base a growing necessity:
- The rewarded risks of enablement – i.e., the positive business objectives that your organization pursues
- The unrewarded risks of protection – i.e., the negative impact of attacks on security, privacy, and availability that your organization would like to prevent
- The obligation of regulatory compliance – i.e., the steps that organizations are required to take, to satisfy the requirements of governments, industries, business partners, and customers
There’s just that economic “ceiling” for the deployment of stronger user authentication to a broader user base to deal with.
The impact of weak authentication
To that end, Aberdeen Group has recently done some quantitative analysis (based on a simple Monte Carlo model) that demonstrates how the traditional economic ceilings for the deployment of stronger user authentication are rapidly changing.
For example, lower-cost solutions for stronger user authentication — such as one-time passwords based on SMS — can provide organizations with an economically justifiable business case for significantly expanding their user base:
- In the private sector (across all industries), based on a compromise of 100,000 to 1,000,000 records, the median annualized business impact of data breaches as a consequence of weak authentication – which is, unfortunately, the status quo – is about $370K, with an 80% confidence interval of between $0 and $1.9M.
- But a straightforward extension to Aberdeen’s analysis shows that an investment in stronger user authentication results in a median reduction in the risk of data breaches of about 90%, as well as in cutting of the “long tail” of risk by more than 50%.
The trade-off is worth it
As it always will, selection of user authentication still involves making trade-offs between several characteristics, in three high-level areas: total cost of ownership; fit for users (e.g., convenience); and fit for the organization (e.g., appetite for risk).
But that traditional ceiling of about 20% of users just doesn’t have to apply anymore!
Aberdeen’s Monte Carlo models have been implemented using standard functionality of Microsoft Excel, and include simple drop-down menus to enable personalization by industry, number of employees, and number of records. A snapshot of Aberdeen’s analysis for each of 17 industries is also available from www.aberdeen.com, in a series of industry-specific Knowledge Briefs and SmartBites.
For additional information, read the full report!