Multi-Factor Authentication: What Is It and Why Do I Need It?

By Jean Hiefner

Multi-factor authentication is essential for enterprise security. Every major hacking incident in the past decade — from Target to Ukraine’s power grid — has had one thing in common: the lack of multi-factor authentication. Usernames and passwords, even the most secure and frequently changed ones, are still susceptible to being compromised. The very best passwords can, with the right equipment, be cracked in a matter of weeks. With multi-factor authentication, you add an additional element to your log-in process that makes hacking nearly impossible.


Multi-factor authentication can include various elements, from the inclusion of biometrics to the use of one-time passwords. The most common form of multi-factor authentication is two-factor authentication. Two-factor authentication requires something you have and something you know. In 2004, President George W. Bush signed HSPD-11 which began the United States government’s road toward mandated two-factor authentication. From that directive, the U.S. government settled on using a smart card with encrypted security certificates — something you have — and an eight to ten-digit personal identification number (PIN) — something you know — as a requirement for access to all government systems.

Implementing multi-factor authentication on desktop devices such as PCs and Macs provides its own unique set of challenges, the details of which we will not focus on here. When trying to apply these same policies to mobile devices, however, many system administrators and CISOs find the task downright daunting. Both native and third-party tools for web access and email, the two most common needs of an employee on their mobile device, are either completely absent or else lack the features needed for an enterprise deployment. That’s why Thursby Software Systems (an Identiv company) developed its suite of Sub Rosa® applications.

Multi-Factor Authentication

Thursby’s Sub Rosa Suite
The Sub Rosa suite is a compilation of three different applications: Sub Rosa, Sub Rosa Pro, and Sub Rosa Ex. Each of these applications includes the ability to use two-factor authentication to access websites and to sign, encrypt, and decrypt email (S/MIME). Every application in the Sub Rosa suite has undergone thorough testing for security and usability. They all employ RSA encryption and are all FIPS 140-2 validated by the Department of Defense (DoD). Each app within the suite contains unique variations in features and functionality.

Sub Rosa requires the use of a DoD common access card (CAC), personal identity verification (PIV) card, or PIV-I card, which is a card used by the industry that is provisioned according to the same standards as the DoD PIV card. While still containing all the same features as Sub Rosa Pro and Sub Rosa Ex, the requirement of a physical card reader and inability to customize Sub Rosa make this an app best used by individual users within the U.S. government.

Sub Rosa Pro can also work with all of the same card types but includes the ability to import derived credentials, such as Purebred, as well. This flexibility in credential type makes it ideal for enterprise use. Also included in Sub Rosa Pro is the ability of deployment and configuration via a mobile device manager (MDM). However, an MDM may be an unnecessary cost in some cases and is certainly not ideal for use on personal devices. These limitations led to the creation of Sub Rosa Ex.

Sub Rosa Ex contains all of the credentialing options available in Sub Rosa Pro. Unlike Sub Rosa Pro, however, an MDM is not required to configure the over 100 features and policies available within the app. Customization is as simple as filling out a short form of preferences and sending it to the Thursby support team. Upon first opening the app, users are prompted to input a configuration code that launches into the specified features and security policies set by their company. From that point forward, the customer will always launch into their unique configuration. Changes to the configuration of the app can occur in the background at any time and can be available to the end-user in as little as 24 hours.

Thursby’s Sub Rosa Suite

Each of these applications contains the same level of security and basic functionality, web browsing, and S/MIME. Thursby’s Sub Rosa suite of mobile apps for CAC, PIV, and derived credentials have over 200,000 users and have enabled BYOD movements within the U.S. Air Force, Navy, and just about every non-armed service and federal agency. From government agencies to commercial customers, if you’re ready to find out how we can improve your cyber and mobile security, reach out to our sales team at +1 817-478-5070 or