Download

Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 0.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback62 pages $24.50 $19.60 20% Web Discount

Passwords are presently the primary method by which users authenticate themselves to computer systems. But passwords are proving less and less capable of protecting systems from abuse. Multifactor authentication (MFA) — which combines something you know (e.g., a PIN), something you have (e.g., a token), and/or something you are (e.g., a fingerprint) — is increasingly being required. This report investigates why organizations choose to adopt or not adopt MFA — and where they choose to use it. The authors reviewed the academic literature and articles in the trade press and conducted structured conversations with selected organizations that use or have contemplated using MFA. They found that the type of organization — for example, defense contractor, bank, hospital — affected its MFA choices. MFA is mandated for U.S. government agencies, which tend to use PINs and tokens for remote access. Among private users of MFA, tokens that generate one-time passwords, rather than biometrics, predominate. The researchers recommend that the U.S. government develop methodologies by which the costs and benefits of mandating MFA can be evaluated. Guidance by the National Institute of Standards to government agencies may be useful in helping them sort out the various arguments for and against mandating MFA in a given sector.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Lessons from the Literature

  • Chapter Three

    Insights from Interviews

  • Chapter Four

    Policy Considerations

  • Appendix

    Literature Review for Authentication Technologies

This report was sponsored by the National Institute of Standards and Technology and was conducted under the auspices of the RAND Homeland Security and Defense Center, a joint center of the RAND National Security Research Division and RAND Infrastructure, Safety, and Environment.

This report is part of the RAND Corporation technical report series. RAND technical reports may include research findings on a specific topic that is limited in scope or intended for a narrow audience; present discussions of the methodology employed in research; provide literature reviews, survey instruments, modeling exercises, guidelines for practitioners and research professionals, and supporting documentation; or deliver preliminary findings. All RAND reports undergo rigorous peer review to ensure that they meet high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.