Rand: Multifactor authentication adoption so far mostly compulsory
Most organizations that have adopted multifactor authentication have done so because they were forced to do so, says a report from the Rand Corp.
The report, commissioned by the National Institute of Standards and Technology and released publically April 15, was written while the government prepared for the April 18 release of its National Strategy for Trusted Identities in Cyberspace. NSTIC proposes a voluntary national "identity ecosystem" premised on multifactor authentication. "Multifactor" means that in addition to inputting a password, users logging onto a secure system would have to display second credential such as a digital certificate. Tokens that generate one-time passwords are the most common current form of multifactor authentication, the report notes.
Voluntary adoption of multifactor authentication so far hasn't been significant. "Our research indicates that the most important factor governing whether an organization does or does not adopt [multifactor authentication] is whether or not they believe they have to," the report states.
Report authors say they don't endorse making multifactor authentication universally mandatory. Just because mandates are effective "does not mean that they should be employed everywhere."
The report also says that lack of an interoperable multifactor authentication standards has not so far been a barrier to adoption, to the extent it has been adopted. In the course of interviews report authors conducted for research, "no one cited the lack of comprehensive standards as a reason not to" set up a multifactor authentication system. There has yet to materialize any cross-organizational demand for multifactor authentication, and demand for it in e-commerce transactions is not compelling, the report adds.
If multifactor authentication proliferates, users might tire of having to present different credentials for multiple sites, in which case either a master registry or recognition of credentials from other registries would come into being, the report says. "Standards may help reach that point," it says--but adds that years-long efforts to create an interoperable public key infrastructure registry is far from complete.
In addition, the report notes that while multifactor authentication can mitigate password guessing attacks, users would still be vulnerable to malware and man-in-the-middle attacks--the latter illustrating the difference between authenticating users and authenticating transactions.
- download the Rand report (.pdf)
White House releases plan for an Internet 'identity ecosystem'
FBI: No Internet-connected system is impervious to cybercrime
IG: SEC has 'deficiencies in nearly every aspect' of HSPD-12 implementation