Assurance

["Jones, Mark B" <>]

I am a two-factor fanatic.  I use the Google OTP.  I have my Comodo cert on a 
USB token and I love it.  I wish I could use it to authenticate to 
everything.  But currently precious little is designed to accommodate 
two-factor authentication of any kind.

The idealist in me is cheering you on (though I think you should be talking 
about two-factor in relation to the development of a Gold profile), but the 
realist in me has to acknowledge that even if the Silver Profile was changed 
to accommodate a two-factor path to qualification (which I don't support) I 
think there are barriers to actually making use of such credentials on any 
meaningful scale.  Cost of tokens, user education, modifying services to 
accept two-factor,... perhaps others.

For us, my observation has been that IT Security, Legal, and Executive 
support are critical.  You have to look at the cost of security breaches due 
to lax Identity Management in terms of loss of money, loss of data, and loss 
of reputation.  You also have to look at your ability to claim due diligence 
with respect to Identity Management.  Whether you qualify for Silver or not 
you will still have services that handle sensitive data on campus that only 
work with passwords.

Ask your skeptics how many front page news stories or lawsuits about security 
breaches and data loss it will take to convince them that more security is a 
good thing.



-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Thursday, March 15, 2012 4:00 PM
To: 

Subject: Re: [Assurance] silver and two-factor ...



> I still need to make a case for any change that is seen
> as making access more difficult or generating more help desk calls.

I'm in exactly the same boat.

> To be fair to the
> skeptics at my institution, our help desks and other support points
> do routinely receive complaints about password complexity, password
> expiration, and vetting questions for self-service reset of
> forgotten passwords. So a clear and persuasive case has to made for
> changes that improve the level of assurance and protection from
> identity theft that are perceived - rightly or wrongly - as creating
> unnecessary barriers to services.

That's precisely why you want to look at two-factor authentication IMO. In 
the presence of 2FA, you can take a fresh look at those antiquated password 
policies that seemed to make sense in a password-only environment, and trim 
them back so that they produce *fewer* help desk calls.

Of course that assumes you choose an appropriate 2FA technology to begin 
with, since the usability gains with respect to the password factor can 
easily be offset by loss of usability due to the added the second factor. 
It's a balancing act, but it is doable, at least in some environments.

Tom