I gave a talk at LASCON 2014 the other day titled "Multi-Factor Authentication -- Weeding out the Snake Oil". Rather than providing a catalog of selection criteria, this turned into a review of scenarios where throwing additional authentication factors at a problem might or might not make sense. Combined with examples of different solutions currently available, we discussed the types of threats to different environments where different multi-factor solutions might actually be able to help lower your risk.
The resulting message, as is often the case, was this: Even though I keep reminding my less tech-savvy friends that it is really a good idea to enable two-factor authentication for their "free" email accounts no matter what, it's not a one-fits-all solution. You need to understand what risks you are trying to control in order to determine whether multi-factor authentication, or a particular solution, is able to help you with that. Just buying an arbitrary solution that carries the label that's matching the current buzz words does not (typically) solve your issues around user authentication and data security.
The slides are on SlideShare:
The resulting message, as is often the case, was this: Even though I keep reminding my less tech-savvy friends that it is really a good idea to enable two-factor authentication for their "free" email accounts no matter what, it's not a one-fits-all solution. You need to understand what risks you are trying to control in order to determine whether multi-factor authentication, or a particular solution, is able to help you with that. Just buying an arbitrary solution that carries the label that's matching the current buzz words does not (typically) solve your issues around user authentication and data security.
The slides are on SlideShare:
RSS Feed