Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 0.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback62 pages $24.50

Passwords are presently the primary method by which users authenticate themselves to computer systems. But passwords are proving less and less capable of protecting systems from abuse. Multifactor authentication (MFA) — which combines something you know (e.g., a PIN), something you have (e.g., a token), and/or something you are (e.g., a fingerprint) — is increasingly being required. This report investigates why organizations choose to adopt or not adopt MFA — and where they choose to use it. The authors reviewed the academic literature and articles in the trade press and conducted structured conversations with selected organizations that use or have contemplated using MFA. They found that the type of organization — for example, defense contractor, bank, hospital — affected its MFA choices. MFA is mandated for U.S. government agencies, which tend to use PINs and tokens for remote access. Among private users of MFA, tokens that generate one-time passwords, rather than biometrics, predominate. The researchers recommend that the U.S. government develop methodologies by which the costs and benefits of mandating MFA can be evaluated. Guidance by the National Institute of Standards to government agencies may be useful in helping them sort out the various arguments for and against mandating MFA in a given sector.

This report was sponsored by the National Institute of Standards and Technology and was conducted under the auspices of the RAND Homeland Security and Defense Center, a joint center of the RAND National Security Research Division and RAND Infrastructure, Safety, and Environment.

This report is part of the RAND technical report series. RAND technical reports may include research findings on a specific topic that is limited in scope or intended for a narrow audience; present discussions of the methodology employed in research; provide literature reviews, survey instruments, modeling exercises, guidelines for practitioners and research professionals, and supporting documentation; or deliver preliminary findings. All RAND reports undergo rigorous peer review to ensure that they meet high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.