It doesn't take a second thought to figure out if your employees are more likely to fill their pockets with a mobile phone or a token-based authentication device - or which one they are more likely to misplace.
And with rising interest in two-factor authentication, it shouldn't take a second thought about what device is best as the "something you have" part of the two-factor (or even multi-factor) equation.
In a survey done by PhoneFactor with 300 IT pros, multi-factor authentication was one of the top three security measures cited for securing cloud computing (the other two were encryption and intrusion detection).
In a Webinar today with PhoneFactor (disclosure: they are a Ping technology partner), Sarah Fender, vice president of marketing and product management for the multi-factor authentication provider, laid out some of the other survey findings and showed how PhoneFactor could be a corner piece in the security and authentication puzzle that IT faces with the cloud.
Fender pointed out that many industry regulations - such as the Health Insurance Portability and Accountability ActÂ (HIPPA) and Federal Financial Institutions Examination Council (FFIEC) - mandate the use of strong authentication for access to resources.
But rolling out strong authentication and integrating it with an identity infrastructure is getting more complex as the cloud drives corporate networks (and end-users) to be more distributed and less likely to be tucked conveniently, and securely, behind a firewall.
In the PhoneFactor survey, 42% of respondents said security concerns had held back adoption of cloud services at their companies, and 76% said cloud computing made them "very to extremely concerned" about unauthorized access to company data.
PhoneFactor thinks two-factor authentication can help alleviate those fears. It believes a "factor" that operates on a different channel, i.e. the telephone network, provides more security than traditional networked certificates and one-time passcodes that have proven they can be compromised.
"If you can move to an independent channel to verify log-in it really provides important, additional security," said Fender.Â "The combo of a phone and a user name yields a strong multi-factor authentication with minimal impact on end-user experience.Â Cell phones are extremely difficult to duplicate and phone numbers are extremely difficult to intercept."
PhoneFactor works with a phone call, a text message or an installed mobile application. When a user logs in with their standard user name and password, PhoneFactor makes a call or sends a text. With a call, the user answers and enters a PIN; and with a text they are given a passcode and they reply to the text with that code (or the code and a PIN).Â With the mobile app, a notification is sent and the user enters a PIN and presses an authentication button.
The service works across local network and cloud-based applications and helps IT wrestle with the security concerns of the Bring Your Own Device trend.
The management side of PhoneFactor includes a warning and emergency response system for users if someone tries to log into their account, self-service management, and user provisioning/management controls for IT.
Fender was joined on the Webinar by my colleague David Skyberg, technical product manager for Ping, who showed how PingFederate 6.6 and PhoneFactor integrate based on adaptive federation and authentication chaining capabilities provided by Ping.
In the end, IT has a streamlined way to slip multi-factor authentication into their security quiver while minimizing hardware/software rollouts, end-user training, and network infrastructure overhauls.
Oh yeah, and it eliminates second thoughts.