CRYPTOCard Inc. released a new two-factor authentication (2FA) system called BlackShield ID, which promises to reduce administration and management resource costs by 90 per cent.
Companies with significant 2FA systems know the price they pay for tokens and think that’s the big cost – but it’s not, said Neil Hollister, president and CEO of CRYPTOCard.
According to Hollister, the cost is managing those systems and BlackShield ID is designed to take those costs out.
A lot of organizations use passwords as a free authentication platform because initially it costs nothing to implement passwords, but there’s a definitive and significant cost associated password resets, explained James Quin, senior research analyst at Info-Tech Research Group.
“Industry metrics show that each password reset costs approximately $25 in terms of lost productivity time on the part of the employee that needs the password reset as well as administrative time to actually perform the reset itself,” said Quin.
This might not sound like a huge problem, but take into account that 40 per cent of all calls that go to help desks are password-related and each user will make on average 1.75 calls per month, he said.
“If I’m an organization that has 1000 users, I’m looking at $20,000 a month or almost a quarter million dollars a year associated with my ‘free’ password authentication solution just because of the help desk costs associated with it,” said Quin.
According to Hollister, BlackShield ID reduces admin and managing costs in three ways – by automating tasks, management by exception and real time system views.
“Get rid of the idea that you have to manually monitor the system,” said Hollister. BlackShield ID takes about 12 manual steps – including token distribution, activation and the token recall process – and reduces them to one. “We’ve just automated the whole process end-to-end,” he said.
Management by exception means you never have to look at another report, Hollister continued. “Set your policy, tell us what you want to know about and then go away and get on with the rest of your job,” he said. “We’ll tell you if someone breaks in.”
“If you do need to see what’s going on, all the information is right at your fingertips, rather than this idea of going in and looking at system logs,” said Hollister.
With real time system views, help desk operatives simply type a user name in the browser-based interface to immediately view the last hundred things that user has done, he explained. A help desk ticket that may take three minutes to resolve can be solved in 20 seconds by real time system view, he said.
“A streamlined authentication system can absolutely save organizations money…but it’s one of those spend-to-save circumstances,” said Quin. This includes the cost of the tools as well as the cost of integration.
“Organizations, particularly in an economic downturn like we’re facing now, are very reticent to spend to save,” he said. “But organizations that do have the flexibility to pursue something like this are definitely going to see benefits both in terms of enhanced security as well as reduced cost.”
BlackShield ID also aims to improve auditing and reporting.
Most authentication systems record all authentication activity, said Hollister, but BlackShield ID records all operator activity too. This helps detect fraud, for example, from an insider operator that creates a user and token for an outside accomplice.
“The accomplice outside uses that false user and false token, goes into the system, does whatever they want to do and then the operator will delete the user and the token. If all you’ve done is record authentications, there’s nothing in your audit trail that indicates there’s a problem,” Hollister explained.
The system can also limit operator activity through granular permissions. “In most systems, if you’re an operator, you can do anything you like. What we do is create roles,” he said.
CRYPTOCard also put a lot of thought into customary reports, said Hollister. “If your auditor arrives and you’re trying to prove you comply with this regulation or that regulation, you just hit the button and there it goes.”
BlackShield ID supports the SMS token (for one-time passwords on mobile phones) and the CD-1 token.
A system based on some form of token, where only one unit exists to allow the authentication process to continue, is going to supply a great deal more security than a secret-based system, said Quin.
The flip side is whether or not the system presents such a complicated process that it becomes too cumbersome from the user perspective, Quin pointed out. “If we make it so complex for users to actually access the systems and information assets that they need to do their jobs, we’re just impeding business,” he said. “Security is there to support the business, not the other way around.”
A good authentication system, according to Quin, provides secure methods of access in a seemingly simplistic way.
“Authentication is one of those complex tasks in IT and IT security that no one really treats as a complex task. It really gets pretty short thrift in the grand scheme of things and at the end of the day, it’s probably the most fundamentally important security process that organizations can put in place,” said Quin.
BlackShield ID typically serves any business with a significant number of remote workers and any Web site with confidential information, said Hollister. The four largest groups include banking, government, healthcare and retail.