The Right Authentication for the Right Risk

Last week I blogged about Gartner’s story on beating strong authentication. Today, I wanted to point out another Gartner article which I thought was useful and re-enforced what I said about choosing the right level of authentication (strong or otherwise) depending on the risk of the transaction. Gartner’s "Good Authentication Choices for Workforce Remote Access" by Ant Allan and John Girard was published on December 21, 2009. If you are a Gartner client you can look the article up by it's ID number: G00173177. You have to be a Gartner client to access the report.

...we recommended that, for each use case, an enterprise must consider at least the required minimum authentication strength (commensurate with the level of risk), ease of use and the maximum justifiable total cost of ownership (TCO).

I agree that authentication strength should be matched against risk but that's not the only factor that should be considered. We are talking to more and more customers who are willing to enhance their authentication strength because costs for some two-factor solutions are declining. The typical conclusion I see a customer reaching is that for less than what they paid to protect higher risk transactions they can now protect all access to their network. So rather than simply replace the higher-risk transactions with a cheaper - but as effective solution - companies are considering increasing the footprint of their strong authentication deployment to cover more users even if they are doing less risky things. So for the same or even less money they are increasing their overall security posture.
So while I agree with Gartner that risk plays into the authentication mechanism a company might use I would also recommend that a company look at overall cost. Why protect only high-risk transactions if you can extend strong authentication to all users in your company?

Technorati Tags: strong authentication,OTP,Quest Software,Defender,identity management,QSFT