If you’re thinking about a decision methodology on which security measures to implement, one thought should be to look at Ease of Use versus security strengths and determine where in the down below picture your implementation fits.
Unfortunately the easier the use of a security measure the less secure it ease. The more secure the security measure the harder it is to be used by end-users.
If you just think about authentication mechanisms, passwords are very easy to use, but do not provide a lot of security strengths. So they should end up somewhere in the left upper corner of the picture. Hardware tokens provide a very high level of security strengths, but are not easy to use. So down to the right they go. Enforcing longer passwords with complicated password rules, does not make them easy to use any longer, so they slide downwards. One time tokens for example sent via SMS seem easy enough to use and provide quite a level of security strengths. So they might end up somewhere in the middle. Find the revised picture down below.
Happy assessments. 🙂