The Shortcomings of Two-Factor

As more and more organizations are adding two-factor authentication systems to their web applications, the reactions are in.  Among those with  appreciation for the stronger authentication mechanisms are also various criticisms of the approach, ranging from resistance due to holding-up workflow, to reminding us that even the most hardened of locks can still be picked.  Whereas the two-factor trend continues to expand, as we’ve continually reported on this blog staggering numbers of organizations continue to ignore the solution, and these accounts may shed some light on the reasons for their resistance.

MedAllie’s A. John Blair MD is one such fellow that has expressed disinterest over implementing two-factor within EHR (Electronic Health Records) security at the Health IT Policy Committee in January.  Citing concerns over productivity, Blair states that he sees the additional factors of security as a workflow obstacle, stating that clinical workflow should be the topmost priority when evaluating the system’s security:

“If the provider honestly believes these enhancements will improve care and efficiency–and particularly if they are indirectly tied to increased reimbursements for improved health care value–interoperability will advance rapidly. If the providers do not believe this, nothing else we do here will make much of a difference in the long run.”

Blair’s point is a certainly a valid one, though prioritizing accessibility to patient sensitive data over ensuring its security is surely a matter of conflict of interests, and so one whose right or wrong answers are purely situational.  In this case, as in many, the need for security might not be apparent until data becomes compromised.

In another article, Mark Risher, CEO and co-founder of Impermium, a vendor of digital fingerprinting software lays out his reasons why the two-factor authentication system is not the be-all end-all measure for securing data that it’s being made out to be.  He feels as though “service providers need to take on more of the responsibility for securing a consumer’s information online, utilizing similar proactive monitoring and not expecting [two-factor] perimeter defenses to suffice”.  Stating that while multi-factor approaches to security certainly enhance it, that more still must be done to guard against hack attacks.

Risher’s suggestion is a sort of ‘virtual police’, in the form of learning algorithms that, much like actual policemen, can track and intelligently identify suspicious behavior.  His description largely resembles contextual authentication, which may prove to be the heightened level of security over two-factor that some are looking for.

Read More – Physician sees two-factor authentication as efficiency barrier

Read More – Why two-factor authentication isn’t a cure-all

CISO's Recognize Security Awareness Need

As we have known for many years a one-size-fits-all approach to security isn’t effective. This also applies to security awareness training of your users. Users are often seen as the weakest link in a corporation when it comes to security because they do not implement best practices, lose their machines, write down passwords, access files they shouldn’t, and more. After a recent round-table discussion CISOs from varying industries spoke about the issues they face and the methods they use when it comes to educating staff members about IT security.

One of the interesting points which stood out is that it is important to go to other departments within your organization for assistance in educating users. Legal departments are used for compliance, but it is the marketing and development departments which can make useful tools for users to understand the ways to maintain security and reasons behind it. The idea is to work with people who don’t necessarily understand security but actually understand how to educate people. You write the curriculum and they teach it.

All too often the IT security staff seem unapproachable to users and this creates a barrier to them being able to understand and listen to the lessons being taught. The recommendation remains that if you involve other departments and varying titles, users will find someone they do feel comfortable approaching. Your users are who has access to corporate data and they need to be made aware that this is a big responsibility which rests with them.

Although there are third-party providers of security awareness training, many CISOs are hesitant to bring them in to help with educating users. This is often shied away from because the fear is not receiving personalized training but more general training which is not specific to your corporation  In order to choose the best security awareness agency to help with your user training it is best to look for one who delivers a custom training method based on your needs…not a one-size-fits-all approach. Read More…


The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

Subscribe to our newsletter:

Homegrown Solutions – Yikes!

With ever increasing demands for specific security and authentication functionality the issue that many organizations are facing is the ability to find a solution that provides an exact fit with their requirements.

Due to this issue many corporations, especially at the enterprise level, are footing the bill to develop these solutions in-house. Although this can provide the exact fit that you are looking for, a homegrown solution is not something that PistolStar recommends. By implementing a homegrown solution it is easy to run into the following issues:

  • Higher upfront costs in development and testing time/resources
  • More lead-time required – deployment schedule must be pushed out
  • Run into all the pitfalls and bugs yourself – impacts user adoption and satisfaction
  • Workforce/expertise attrition – what if your developers leave?
  • Ongoing maintenance demands and costs

With such complications being present homegrown solutions really open up the floodgates to security holes and unknown issues. By stepping out of your area of expertise and running across the bugs yourself, you have the potential to expose and open up a much larger and more dangerous “can of worms”.

Your end-users are also a concern when choosing to buy or build. By making your employees the “test bunnies” you are in danger of greatly reducing usability, productivity and employee adoption rates. Also your end-users are not always the best measure of success. When implementing a homegrown solution, it is when something is wrong that you are most likely to hear a large uproar from you users, but this gives you no direct insight into the functionality or parts of the solution which they really enjoy.

Overall if you are weighing your options between homegrown or buying we strongly recommend to stay away from homegrown. To replace the homegrown option, it is important to find a third-party solution that provides the flexibility of a custom solution but at an affordable price. By leveraging APIs, such as the PortalGuard API, you can utilize already existing functionality while reducing the complications of starting from scratch.

So whether you decide to use a fully homegrown solution, leverage an API or purchase a solution it is important to consider your users and organization’s requirements. Possibly a combination of all three methods could be the best way to go.

We encourage questions on homegrown solutions so please feel free to email us at

The Client-Side Versus Server-Side Debate

Some security solutions are installed and managed client-side, right on the users’ desktops, while others reside on the server. Depending on the size of your company, the resources available for managing product deployments and the needs of your user base, it may be imperative for your team to go with one type of install over another.Here are the considerations:

Client-side deployments:

  • The application needs to be installed on each user’s workstation
  • Better for smaller organizations
  • Integrates with existing password change procedures (no training user to “go to this Website, click this link…”)
  • Allows for richer functionality (a server-side product is not notified of events on user machines, such as logins, logouts, password changes, and screen saver unlocks, and thus cannot influence them)     
  • Does not require network connectivity, e.g., allows for offline recovery of password

Server-side deployments:

  • There is a one-time, single install
  • No end-user involvement
  • Best option for larger organizations
  • Best option for organizations with remote users
  • Program updates only need to be performed on the server(s) 
  • Program updates do not need to be tested on numerous client configurations (combinations of hardware and software can get very large)
  • If admin credentials are required for the software (e.g., to unlock accounts), they are located on the server(s) and can thus be better protected

What type of deployment would work best for you and your organization? Feel free to respond to this post and tell us your thoughts.