Authentication of users is one of our core security awareness modules, updated and re-released annually. Last year, the module focused on identity theft. This time around, we concentrate on multifactor authentication using security tokens and biometrics. We still provide basic advice on choosing good passwords and keeping them secret, naturally, but we think it's time for management and IT, in particular, to look seriously at upgrading the old username/password systems.
Failure to authenticate and thus distinguish genuine from bogus users can potentially cause devastating impacts on business critical systems, especially for privileged users and those with access to key transactions. On most systems today, the only real barrier to hackers, industrial spies, malicious insiders and fraudsters with access to the login prompt is the time and effort it takes them to guess the correct combinations of username and password: with automated password crackers, that control is barely even a speedbump on the information superhighway.
Cryptographic smart cards, digital certificates, syncrhonized pseudo-random password generators, fingerprint readers, iris scanners and so forth are certainly not perfect at authenticating users but, like the only house on the street with a burglar alarm, there's a reasonable hope that most hackers will move along to easier targets. If your organization isn't already using multifactor authentication, you're putting yourself in the firing line.