Passwords are getting a bit embarrassing. Companies are increasingly reluctant to admit that they only use weak password protection to prevent access to their corporate networks and resources. In fact, recent research commissioned by RSA, The Security Division of EMC, suggests that most corporates are starting to do the right thing. Up to 80 per cent of all new large-scale VPN installations are using two-factor protection including tokens, one-time passcodes and USB devices.

The research is based on interviews with 20 leading Secure Socket Layer (SSL) and IPSEC VPN vendors including Juniper, Checkpoint, Cisco, SonicWall and their distributors. This definite shift is being driven largely by increasing demand for anytime, anywhere access and the growth in wireless networks.

Yet when it comes to SMEs who face exactly the same threats to their businesses with weak passwords, the message appears not to be getting through. Like most technology barriers – this probably comes down to cost, complexity and the ongoing hassle to support a 24x7 remote user community.

Some of this blame may lie with the reseller who, having made the sale of a nice VPN solution doesn’t want to rock the boat by suggesting that it is not complete without two-factor authentication. The customer may also worry that it’s going to add more to the price and might be difficult to deploy and manage. With a token-based solution such as RSA SecurID, this means everything from despatching devices and rights administration to handling lost tokens or forgotten passwords.

Some customers might prefer a tokenless solution that provides a one time password (OTP) on request to their mobile phone or PDA by SMS or email. This is ideal for occasional users, contractors and part-time staff and for checking web email from home, providing Extranet access to clients and partners, and sensitive on-line services such as banking, betting or retailing.

Whatever the preferred choice, two-factor authentication is now an essential for all remote access projects. While it does add some complexity and management demands, one alternative quick, simple and affordable option is to go for a fully managed, two-factor authentication service. This removes the hassle factors as well as the up front capital cost.

In fact, this reflects an emerging trend by resellers toward using specialist MSSPs – Managed Security Service Providers – to deliver the complex bits of the security jigsaw that require specialist knowledge, infrastructure and support. As a bonus these services generate healthy recurring revenues for resellers and build closer relationships with their customers.

Managed authentication services make it easy and profitable for resellers to help their customers to eliminate weak passwords. They need to explain that relying on basic passwords to secure an SSL VPN system is like putting cheap tyres on a Ferrari – it might save you money and hassle in the short term, but you’ll lose control in the first rainstorm!