Deploying Better Authentication

You're the CSO at a medium-sized company. You've realized that the authentication mechanisms for your employees—passwords that must be "strong" and changed frequently— are inadequate. That is, you've realized the issues with bad passwords, password storage, etc., before anyone has exploited the weak authentication and created mischief. Your job is to write a memo to top management explaining the problem, the risks, and your proposed solution.

However...

The rest of top management—the CEO, the CFO, and the Board of Directors—is composed of very busy, semi-technical people. Therefore, your note may be at most two pages long (1" margins, no font smaller than 12-point). The note must explain:

• The problem
• The risks to the company if no fix is installed
• Your proposed fix
• The new hardware and/or software systems necessary. (In the real world, you'd have to give the costs and estimated time to complete the job. I'm not asking for that.)
• The risks to the company from deploying your solution
• Other alternatives and why you rejected them

Some points to remember:

• You're not Google, with more or less infinite resources, but you're also not a small business with no in-house IT staff
• You're dealing with employees, not the general public
• If the threat model—who might want to attack you—matters for your solution, make sure you say so.
• The company has more than one location, and some employees are full-time telecommuters

Again: two pages max, written for a semi-technical audience. You may, if you wish, submit up to one additional page justifying some decisions, e.g., for recovery against a lost credential.

This homework must be submitted via Courseworks as a PDF file.