What: “Strong Authentication in Cyberspace,” a Chertoff Group report that lays out eight principles of authentication for policymakers.
Why: A large number of network intrusions are the result of compromised passwords. Modern, standards-compliant, multifactor authentication is one of the most effective ways organisations can reduce cyber risk.
Findings: Multifactor authentication requires a user to provide at least two types of authentication like a password, biometric data, a cellphone or other information. To drive adoption of authentication that is secure, usable and protects privacy, governments should follow these principles when crafting legislation or policy:
- Be sure any risk management plans explicitly address authentication.
- Recognise that shared-secrets authentication (methods that use SMS or one-time passwords) are less reliable than more modern options.
- Ensure that the authentication solution is easy to users to adopt.
- Consider strong authentication options that use biometrics and cryptographic keys that are stored on local devices and never sent across the network.
- Adopt solutions that cover mobile devices as well as desktops.
- Build privacy into any solution.
- Use biometrics as one way to provide authentication in a multifactor solution.
- Focus on standards and outcomes, rather than a specific technology.