11.6 Multifactor Authentication

Multifactor authentication solutions use more than one credential criteria to authenticate a user . The three different types of authentication criteria that can be combined to create a multifactor solution are

Something you know (usernames/passwords)
Something you have (token, SecureID, SmartCard)
Something you are ( fingerprints , eye/hand scan, implants, keystroke dynamics)

The cost of unnecessary overhead and complexity compared to the risk involved normally limit an enterprise to the use of two-factor rather than three-factor authentication. Enterprise two-factor authentication solutions offer capabilities for centralized and remote management of devices and should be considered ; however, successful integration with the existing network security infrastructure should be a primary design consideration. Implementing technology such as SmartCards that use digital certificates and thumbprint scanners on the wireless laptop computer is probably going overboard because doing so would entail significant work effort and cost; the risk/reward ratio would have to be extremely high to justify installing so many security features. When appropriate, many types of possession credentials (e.g., tokens, SmartCards, and biometric credentials) can be taken into consideration when planning a WLAN security solution. For example, possession credentials include SmartCards, smart tokens, digital certificates, and similar tangible technologies. If you decide to use biometrics, many different types of scanning processes can be deployed, such as hand scans, eye scans ( retina or iris), fingerprints, facial recognition, and voice prints. Selection of the proper biometric solution will require commitments for extra cost and deployment time (scanning every employee's hand, for instance, is not a simple project).

Single Sign-On (SSO) is also an authentication method to consider. In today's enterprise, workers have to remember many different passwords to access all of their Web-based, client/server, desktop, and legacy applications. It significantly eases administrative overhead when the user needs to perform only a single strong authentication. Once the user authenticates and the target application is launched, the authentication solution should automatically enter the necessary credentials into the authentication dialog box just as if the user were submitting the information. The user should be able to swiftly access other protected applications or Web sites. If designed and deployed correctly, an SSO solution will save users time and enhance their productivity. As with other network architectural decisions, the corporate WLAN(s) must be considered when designing and deploying an SSO solution.