How Should You Authenticate Your Users?

Authenticate I don’t think I’ve met a single person who was a fan of RSA Tokens. They’re cumbersome to use, and easily lost. They seem like they need to be reset at least once a week, and inevitably end up taking a massive chunk out of a security budget that honestly can’t handle the expense.

Worst of all, they’re incredibly outdated – everyone these days already carries a smartphone to work. Nobody wants to be saddled with another device. Especially not something so clunky and aggravating.

And yet, for some reason, people still use them. Businesses still insist on deploying these things in the interest of “protecting their data.” It’s absurd – and their security isn’t even as ironclad as it’s supposed to be.

Here’s the thing – the more frustrating your users find your organizational security measures, the likelier they are to try getting around them. In that way, archaic or overly-draconian security measures actually have the opposite of their intended effect. If you aren’t taking steps to simplify your authentication process, your security team is basically losing before they even start.

If you want to keep your corporate data protected and your users satisfied, you need to beef up your authentication. While you still want to go with a multi-factor approach, you also need to make it feel seamless from a user perspective. In broad terms, that means combining several components that cover the main ‘types’ of authentication:

  • Stuff you know. (passwords, PINS, personal information)
  • Stuff you have. (physical tokens, devices)
  • Stuff you are. (fingerprints, voice recognition, etc.)
  • Stuff you do. (typical usage habits, login location, device type, etc.)

Together, they should form part of a seamless process with the following qualities:

  • It’s easy to use. Even if the process is complex and intricate below the surface, it shouldn’t feel that way to the end user. Your employees should never feel as though they’re being made to jump through hoops.
  • It doesn’t require multiple authentications. Single-Sign-On is a must, especially if your business makes heavy use of SaaS apps.
  • It has multiple safeguards against intrusion. A system that authenticates based on an employee’s device could, for example, send a warning to administrators if it’s used to login somewhere the employee might not ordinarily work.

Old-school methods of authentication should be left in the past, where they belong. If you want to protect your business’s data in the era of smartphones and user empowerment, you need to rethink how you handle security. Otherwise, you’re just asking to be breached.

Matthew Davis is a technical writer and Linux geek for Future Hosting.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.