Software Tokens Gaining in Popularity
A good network authentication system is a vital corporate asset. It helps keep hackers off your corporate network and out of your servers, workstations and applications, while ensuring that people who are meant to be able to access these systems can.
The most basic form of authentication is a simple username and password pair, but the limitations of this are well known. Simple passwords are easy to guess or crack by brute force, and complicated passwords get written down on Post-It notes or forgotten.
That's why there has been a steady increase in the adoption of two-factor authentication systems by large enterprises and SMBs over the past decade or so, and that trend appears to be accelerating. These use "something you have" -- a security token that generates a different series of letters or digits each time it is used, and which you have to enter as part of the authentication process to prove that you have it -- as well as "something you know;" the traditional password that matches your user name.
The reason for the rise in two-factor authentication is partly that many companies are becoming more aware of the security risk associated with weak single factor authentication mechanisms, and partly because compliance regulations are forcing them to do so, according to Ant Allan, a Gartner research vice-president. PCI-DSS regulatory requirements are a good example: two factor authentication is specified for compliance.
The good news if you are considering implementing two factor authentication to protect your network and other assets is that the cost of these systems has fallen dramatically over the past few years. Although some vendors still charge $40 per hardware authentication token, companies like Entrust offer hardware devices such as the IdentityGuard Mini-token for as little as $5 each.
But more significantly, there are now a very wide range of vendors such as VeriSign (now part of Symantec) offering two factor authentication systems that use software authentication tokens that run on smartphones. These are offered at very low cost or even completely free. Other vendors such as SecurEnvoy offer systems that use cellphones to deliver an "out-of-band" authentication service. These generally work by sending an authentication code to a user's cellphone when they authenticate themselves using a username and password, and this code has to provide to complete the authentication process.
In theory, software tokens are less secure than hardware tokens simply because the software is not run on an isolated system that can't be hacked. And out of band systems can in theory be defeated by a hacker who could divert a user's phone calls and SMS messages to a number controlled by a hacker, so they may be considered weaker still. But these weaknesses in phone-based systems are fairly insignificant, Allan believes.
"In our view, phone-based methods of authentication are the preferred choice over hardware," he said.
The main advantage is that you don't have to buy a hardware token for each employee, or work out how to provision it.
"In some companies, the cost of distributing the tokens to employees is more costly than actually buying them," he said. "Users also tend to be more accepting of an app on their smartphone than an extra piece of hardware to carry around. They rarely forget to carry their smartphone and they tend to take more care of them and lose them less frequently than hardware tokens, which means better security and fewer calls to the help desk."
SyferLock's GridGuard system, for example, works by presenting users with a letter substitution grid which they use to swap the letters of their password with digits to create a passcode. Since the substitution grid changes each time a user attempts to log in, the same password results in a unique one-time passcode at every login.
As long as the user's password remains secret the one-time nature of the pass codes means that a hacker catching sight of or intercepting the passcode, or getting access to it using a keylogger, will be unable to reuse it to authenticate themselves.
A potential problem with these systems is that they can be complicated. "Users will try to make things easier for themselves by getting around things that are inconvenient, " Allan warned.
One way to reduce complexity is to implement a system that allows for a tiered approached to security by providing more basic protection to less important systems, while requiring more complicated two-factor authentication before certain actions can be carried out or if a user is attempting to authenticate from a device or IP address that they have never used before, for example.
IdentifyX, a smartphone-based system supplied by Daon, can even use voice recognition using the phone's microphone, or facial recognition using the camera, to provide a third identification factor ("something you are") for extra security.
In terms of overall cost, there is a wide variation between different authentication systems; so much so that the lowest cost hardware token-based systems cost less than the most expensive software-token based or out-of-band systems.
"In other words, shopping around for the lowest cost vendor is more effective than shopping around for the lowest cost authentication method," said Allan.
This is because the distinction between hardware tokens and software tokens is becoming blurred since many vendors offer systems that support both types of token concurrently.
One final decision that you have to make before buying an authentication system is whether to license the software and implement it in house, or simply implement it as a service provided by a managed service provider such as Symantec or PhoneFactor.
"With a service you don't have to license the software and buy a server to run it on that needs to be managed, so there is definitely a cost advantage in using a service provider," Allan said. "One barrier is that many organizations are reluctant to give up control of authentication to their network to a third party. But if you use a trustworthy managed service provider there should be no significant difference in terms of security."
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.