This content is part of the Essential Guide: Advances in access governance strategy and technology

How to set up two-factor authentication for enterprise users

The old username/password combination is not the safest form of ID management. See why two-factor authentication belongs in IT's mobile security arsenal and learn how to set it up.

Two heads are better than one, and the same is true when it comes to verifying end-user identity. With enterprise data at stake, mobile threat prevention is crucial, and authentication is a key part of prevention. But nowadays, basic, single-factor authentication -- the trusty, old username/password combination or PIN code -- just isn't going to cut it.

But IT has another weapon in its mobile security arsenal. Find out how to set up two-factor authentication.

What is authentication?

Authentication is the element of any security scheme that implements the proving of identity from one party in a given transaction to the other. In most cases today -- and for most of the history of computing -- this has centered on usernames and passwords; enter both correctly, and you're in, because it's assumed you are who you say you are.

Along with the encryption of sensitive information, and its decryption only for authorized users, authentication is a key component of the backbone of any IT security strategy. The problem with basic authentication, however, is that username/password combination. The username is essentially public information, and passwords can be weak and even stolen, thanks to all-too-common user sloppiness, such as ineffectively storing and handling passwords. If a mobile user's data is compromised, so is their company's overall security.

IT admins must make it clear to suppliers of cloud-based services that they prefer two-factor authentication as a feature.

A valid username/password entry might trigger an SMS message to a designated mobile device, requiring the user to enter the information in the message subsequent to his or her username and password. No device, no login -- the user must simply change the password and proceed as before. That's great for the user who forgets their password but not for IT admins trying to safeguard the enterprise from hackers.

Two-factor authentication methods

Luckily, a more reliable security strategy exists: two-factor authentication, also known as "something you have plus something you know." The "something you know" can remain the username/password pair, but it's the "something you have" that makes the difference. That something can be a security token -- a specialized device that provides additional login information that's valid only for a limited amount of time before it updates -- or the mobile device itself.

Here are five ways IT can prepare to set up two-factor authentication today:

1. Have a flexible policy

IT admins must make it clear to suppliers of cloud-based services that they prefer two-factor authentication as a feature. Since not all selected vendors, including carriers and third-party software vendors, will have this capability, make the policy flexible, but do be insistent that two-factor authentication must arrive within a specified timeframe.

2. Do your homework

Make sure selected identity management tools support two-factor authentication solutions. This goes without saying, but it's easy to overlook. Add two-factor authentication to your requests for proposals for service providers, as well as your required feature checklist.

It's also possible to use soft tokens in the form of a public key infrastructure or shared secret files, so explore the authentication mechanisms of your ID management tool thoroughly and make sure they line up with your specific requirements. Most importantly, never compromise on security.

3. Test, test, test

In many cases, SMS messages sent to a device have replaced hardware tokens, but it's also possible to implement the functionality of the hardware token as an app on a mobile device. Keep in mind, though, that these technologies are quite new; IT should conduct functional verification and detailed alpha (internal) and beta (pilot) testing before considering a volume deployment, just to make sure that setting up two-factor authentication isn't breaking anything else.

4. Make it mutual

Just as a user seeking access should be subject to two-factor authentication methods, the system providing such access should also be required to prove its identity. This is often accomplished by showing the user a picture that said user previously selected during an authenticated session.

5. Keep developers in the loop

If you develop apps internally, make sure your developers take advantage of two-factor authentication methods now appearing in mobile OSes. The involvement of the mobile OS element is ultimately the critical gating item here. It's unlikely that OSes will widely adopt two-factor authentication until it becomes part of essential software.

Implementations of two-factor authentication must be beyond the reach of malware, and that means safely resident in software that is fundamentally and essentially protected. Sure, OSes have been known to have security flaws, and end-to-end verification of security solutions is always required, including management consoles and directory services. But it's clear that OS vendors have gotten the memo, with production OS-based two-factor authentication capabilities in all popular OSes today. It's time for end-user organizations everywhere to demand that the apps and services they use integrate these capabilities.

Absolute security is, and will remain, an abstract, theoretical concept. Thus, staying on top of the latest issues and solutions will remain essential to security -- and overall IT -- success. If IT knows how to set up two-factor authentication on user devices, their company only stands to benefit; after all, it never hurts to load up that mobile security arsenal.

Next Steps

An intro to identity management

How two-factor authentication beats biometrics

Make the most of two-factor authentication systems

Dig Deeper on Enterprise mobile security