¶ … wireless computing technology, e.g., remote access to the company or corporate network creates many benefits for an enterprise, such as increased mobility and flexibility, but anonymity almost always also makes a network vulnerable. An intruder might attack from thousands of miles away and never come into direct contact with the system, its administrators or users (Pfleeger and Pfleeger, 2007, p. 397).
Therefore authentication, e.g., a process of determining that a system user is the person who he declares to be is required. It must be handled carefully and correctly in a network because a network involves authentication not just of people but of businesses, servers, and services only loosely associated with a person (Pfleeger & Pfleeger, 2007, p. 398).
Authentication is most commonly done by the use of log-on passwords. Knowledge of the password is assumed to guarantee that the user is the person he purports to be. Nevertheless, passwords are considered the least secure authentication factor because they do not require sophisticated attacks. Their biggest flaw is that the security level depends directly on the complexity of a password. The result is that too many overly complex passwords tend to induce people to make use of various methods to remember passwords, such as writing them down or simply using passwords that are easy to remember, such as their pet's name or their children's birthday. If remote access is only secured with a weak static password, it becomes easy for intruders to intercept. In many instances, impersonation is an easier way than wiretapping or eavesdropping for obtaining information. In an impersonation, an attack has the choice between several measures. He can guess the identity and authentication details of the target or pick up the identity and authentication details of the target from a previous communication or from wiretapping. He may circumvent or disable the authentication mechanism at the target computer or use a target that will not be authenticated. Finally, he may decide to use a target whose authentication data are known (Pfleeger & Pfleeger, 2007, p. 415 ff.).
Compromised passwords can have disastrous results including the loss of sensitive employee and customer profiles, social security data and credit information. Imposing a strict password policy is rarely helpful, because it entails the disadvantage that complex passwords and regular password changes tend to be confusing for many employees (see Hunt, 2010, p. 2).
Regulatory guidance and best practices therefore recommend multiple factors or layered authentication, e.g., "strong authentication," also referred to as "two factor authentication," because adoption of a layered approach is regarded to be the strongest possible authentication ("5 Essential Steps for Implementing Strong Authentication in the Enterprise," 2011, p. 13).
"Strong authentication" as defined by the National Committee on Security Systems (CNSS) Instruction No. 4009 of 26 April 2010 is the requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity's identity. A strong authentication system works by requiring two simultaneous but independent authentication methods commonly referred to as "something you have and something you know" ("5 Essential Steps for Implementing Strong Authentication in the Enterprise," 2011, p. 5). Strong two-factor authentication can be used not only to secure remote access, but also all other corporate applications. One of the biggest advantages of strong authentication devices is that it that they can take the form of hardware as well as software authenticators (Hunt, 2010, p. 2).
You’re 65% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.