The expert view Davey Winder
Don’t think that a password is enough, it isn’t. It’s far better to add a secondary layer of authentication. While biometric identifiers would be a great choice in an ideal world, I know of very few organisations that inhabit this mythical place. Once you move on from anything but a handful of employees to equip, enrol and administer, it just becomes way more trouble (expensive trouble at that) than it’s worth.
Think of tokenisation as the way forward, offering similar security benefits for most businesses but with far less faffing around and at a far cheaper cost. That is, I would suggest, if you avoid hardware tokens. In my experience these are just as problematical in the cost and deployment department as a biometric factor. The use of "soft" tokens, authenticator apps that generate a cryptographically secure, time-limited one time passcode (TOTP) in software, are a much easier, cheaper option for most SMBs. Assuming, and I think we can, that all employees will have a smartphone.
A TOTP is a hash-based message authentication code; it uses a secret key and the current time (by way of a cryptographic hash function) to generate a one-time password that expires with a countdown timer. Once the clock expires, typically in 30-second increments, a new unique code is generated. So in your typical small business setup, enrolment involves the user device sharing a secret key with the server, and this is then used for all authentication sessions thereafter.
To log in, the user would then enter the normal name/password combo which in turn generates the one-time password for that authentication session. Both the server and the app client compute the token, and if it matches (before it expires) authentication is confirmed.
Such codes are much harder to hack, if login attempts are limited to prevent brute forcing, and would require sophisticated real-time man-in-themiddle credential proxying to pull off. They are far from perfect, but as there is no such thing as 100% secure the addition of this relatively simple and cheap additional identity verification layer is about as close as you’re going to get without flashing some serious cash.