When Is Strong Authentication Required?
The most critical factor to consider in deciding whether strong authentication is required is the cost (calculated in dollars, potential public embarrassment, or other suitable measures) associated with unauthorized access to the data or resource in question. It might not pay to have a strong user authentication tool to control access to low-risk data, but high-risk data will likely warrant the user accountability that strong authentication provides.
Another factor to consider is corporate liability. Downstream liability is a new concept with major implications. The most common example is that of a computer connected to the Internet, accessed without the owner's permission and used as a jumping-off point for an attack that subsequently causes large losses for a third party. Current law holds that the third party can sue not only the perpetrator of the act, but also any other parties involved in the act, including the company that owned the network used as the jumping-off point. The average hacker might not have "deep pockets," but the intermediary company might and could be judged guilty of not controlling its systems. In this example, strong user authentication can demonstrate that the company has not been completely negligent in implementing preventative controls.
Although multifactor authentication provides an increased level of security, users like the convenience of reusable passwords and hate the inconvenience of carrying an object around just to log in to a computer system. Even if you overcome the resistance of users, the added expense of cards/tokens and readers plus the trouble of distributing everything makes it extremely difficult to justify a token-based solution.
I am a proponent of strong authentication, especially the use of digital certificates, but only when required and economically feasible. Most companies today can survive just fine using password authentication as long as users select strong passwords, and as long as passwords do not travel the network unencrypted or stored anywhere in plain text.