Evaluating Two-Factor Authentication
One place to start when evaluating two-factor authentication systems is with FIPS 140-2, the federal government's standard for cryptographic modules protecting sensitive but unclassified material. This standard is the basis of ANSI X9.66, a similar standard proposed for financial institutions. The standard covers a broad range of needs with four levels of security and four classes of authentication.
"When you're evaluating a hardware security module," suggests Scott, "choose one that meets FIPS 140 and you've effectively selected a good authentication product."
Of course, FIPS 140-2 or ANSI X9.66 are only the starting points for evaluation. Other considerations include the level of security needed, the cost, and the ease of managing the authentication method. You also need to consider conventional IT issues, such as ease of integration and interoperability.