Passwords are presently the primary method by which users authenticate themselves to computer systems. But passwords are proving less and less capable of protecting systems from abuse. Multifactor authentication (MFA)-which combines something you know (e.g., a PIN), something you have (e.g., a token), and/or something you are (e.g., a fingerprint)-is increasingly being required. This report investigates why organizations choose to adopt or not adopt MFA-and where they choose to use it. The authors reviewed the academic literature and articles in the trade press and conducted structured conversations with selected organizations that use or have contemplated using MFA. They found that the type of organization-for example, defense contractor, bank, hospital-affected its MFA choices. MFA is mandated for U.S. government agencies, which tend to use PINs and tokens for remote access. Among private users of MFA, tokens that generate one-time passwords, rather than biometrics, predominate. The researchers recommend that the U.S. government develop methodologies by which the costs and benefits of mandating MFA can be evaluated. Guidance by the National Institute of Standards to government agencies may be useful in helping them sort out the various arguments for and against mandating MFA in a given sector.

"Sponsored by the National Institute of Standards and Technology"--T.p.

Introduction -- Lessons from the Literature -- Insights from Interviews -- Policy Considerations -- Appendix: Literature Review for Authentication Technologies.