Related Stories

  • Token Debate: Worthless, Worthless
    This sums up the opinion of ISACA’s Richard Hollis when it comes to the value of token-based authentication
  • Top national security official pins RSA breach on China
    The US government has evidence that Chinese hackers were responsible for the breach of RSA last year that compromised the company’s “underlying software” and required the replacement of hundreds of SecurID tokens, a top national security official told Congress this week.
  • Missing authentication token leads to security breach for a quarter of firms
    Close to a quarter of UK organizations have suffered a security breach as a result of identity fraud linked to a lost or stolen authentication device, according to an Entrust survey.
  • RSA: Life After Breach
    With the RSA security breach still fresh in the minds of information security practitioners across the world, you’d be forgiven for assuming that the heyday for token-based ID is long gone. Stephen Pritchard investigates the advantages and disadvantages of token-based ID and finds out why, for now at least, it’s here to stay

Top 5 Stories


Token Debate: Battle Tested, Industry Approved

30 August 2012
Dan Schiappa, RSA

Their ability to remain nimble is why RSA’s Dan Schiappa believes tokens are the past, present, and future of two-factor authentication

Time-based two-factor authentication strengthens passwords by making them dynamic and ever-changing. The result is access credentials that are nearly impossible to guess and very difficult to steal.

The most commonly deployed and effective method for two-factor authentication is the time-based ‘token’. This is generally thought of as a purpose-built hardware keyfob with a number display, but it can also be a software application running on a mobile device or PC. Regardless of the form factor the token takes, it performs an invaluable service in ensuring the identity of users seeking to gain access to private resources and sensitive information.

Two-factor authentication is one of the most widely used security technologies in the history of IT. Millions of people use this technology every day to gain secure access to corporate networks, and it has been used to protect trillions of communications and transactions. Many of the most security-conscious organizations in the world consider tokens the ‘go-to’ technology to enable secure, trusted access to the most critical IT infrastructures in banking and finance, healthcare, law enforcement, military and government.

Time-based two-factor authentication stands apart from competing authentication products due to its simple and sophisticated design of a one-time credential, based on a clock-driven, dynamically changing password coupled with a secret user PIN. This combination makes it extremely difficult to compromise all the factors at once.

Since its inception, the world’s most respected security researchers have worked, unsuccessfully, to ‘break’ this technology. The reason for their lack of success is that time-based two-factor authentication actually requires far more than two factors to compromise it. Contrary to what critics have asserted about the security of stored shared secrets, recent attacks have shown that compromising some pieces of the puzzle does not enable a successful attack on users.

By itself, time-based two-factor authentication is the industry standard because it has proven to be easy to use, easy to deploy, and is one of the most difficult security controls to defeat. That being said, there is no silver bullet to protect an organization against advanced threats – a multi-layered approach is always recommended.

"Time-based two-factor authentication is the industry standard because it has proven to be easy to use, easy to deploy, and is one of the most difficult security controls to defeat"

When combined with additional security measures and risk-based controls, time-based two-factor authentication is a powerful component in a multi-layered security infrastructure and has proven incredibly effective against (even modern) malware and advanced attacks, including hijacked machines, man-in-the-middle attacks and lost or stolen tokens.

The advanced threats facing organizations today are getting increasingly better at defeating all types of security controls, which is why time-based two-factor authentication continues to be a critical component of any security strategy. No security technology has been more widely used, closely scrutinized, and more elegantly designed and implemented. It still enjoys an extensive and healthy acceptance among global IT security professionals as the standard-bearer for making passwords stronger.

Part of the continued success of two-factor authentication is the fact that the technology is always being adapted to provide improved security, convenience and applicability. Innovations are being made to apply time-based two-factor authentication to new use cases, such as virtualization, cloud and mobile computing, and other form factors that utilize mobile device technology and risk-based authentication. It’s these innovations that ensure that the future of ‘token’ technology remains bright.

Dan Schiappa is senior vice president & group general manager, identity and data protection, at RSA, The Security Division of EMC². Prior to this, Schiappa was at Microsoft for eight years where he held many senior roles, including general manager of Microsoft Passport/Windows Live ID, general manager of strategy with the entertainment and devices division, and general manager of Windows Security. At Microsoft, he was responsible for the core security direction and delivery of such key technology components as BitLocker, Rights Management Server, and Certificate LifeCycle Manager. Prior to Microsoft, he also held several senior senior business and technical roles. Schiappa studied computer science at the Rochester Institute of Technology and the University of Central Florida.

This article is featured in:
Data Loss  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security



brian-basgen says:

04 September 2012
A useful way to assert the value of token-based authentication is to contextualize it with the vulnerability of typical authentication methods such as the 8 character password. There is a wonderful array of math that can illustrate the weakness of 8+ character passwords with typically low entropy. Thus, while tokens certainly have points of vulnerability (as all security controls do), they do a good job at improving the strength of the credential.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×