Hard, Soft, or Smart? Evaluating the Two-Factor Authentication Options

Le Brun asks: "Technology has moved on, so isn’t it about time to kill off the hardware token?"
Le Brun asks: "Technology has moved on, so isn’t it about time to kill off the hardware token?"
The cost of 2FA
The cost of 2FA

First, let’s cover the basics. Two-factor authentication (2FA) is where a user’s credentials are made up of two independent factors, such as:

  • Something you know (PIN, simple password, alpha-numeric password, alpha-numeric password with special characters, secret questions, passphrase);
  • Something you have (Keyfob token, key, debit card, smartcard, mobile phone); or
  • Something you are (biometric data, such as fingerprint, retina, iris, face, veins, DNA, voiceprint, hand, typical usage patterns)

Admittedly, this is elementary information that many of you reading this already know. Nevertheless, defining
the concept from the outset serves to reinforce your previous education.

Hardware Tokens

The tried and tested combination used by countless organizations is the hardware keyfob token (something you have) and a secret PIN (something you know).

One type is the one-time password (OTP) keyfob, which is typically carried on your key ring and displays a pseudo-random number that changes periodically. The keyfob itself contains an algorithm (a clock or a counter), and a ‘seed record’ used to calculate the pseudo-random number. The user enters this number to prove that they have the token. The server that is authenticating the user must also have a copy of each keyfob’s seed record, the algorithm used, and the correct time.

This technology – widely used to secure remote access to corporate networks and data – is nothing new; many of us have been carrying hardware tokens around in our pockets for at least the last 25 years. Back in 1986, mobile phones were the size of briefcases and anything but smart. But technology has moved on, so isn’t it about time to kill off the hardware token?

In recent years, authentication vendors have been looking for alternatives: sometimes in response to increasing pressure on costs, but also to increase convenience for the end users of the token devices. Because most enterprise users of 2FA have a smartphone, it would make sense to try and exploit it as one of the factors.

“Since we first published our 2009 report on the market for mobile device-based authentication, we have seen a steady rise in the adoption of mobile devices as two-factor authenticators”, says industry expert Alan Goode, founder and managing director of Goode Intelligence. “We estimate that, today, it probably accounts for over 20% of total 2FA sales.”

Are Software Tokens the Answer?

A software version of the OTP keyfob for smartphones has been available for nearly as long as the concept of the smartphone – remember the Ericsson R380, released in 2000? Me neither, but you could install an RSA Security Software token on it to generate an OTP.

This is exactly the same technology as the hardware version. However, instead of carrying around an extra piece of hardware, it uses the smartphone to calculate the OTP from the ‘seed record’ along with the smartphone’s clock and the algorithm contained in software installed on the device, usually in the form of an app.

Despite software tokens having been available for more than a decade, it’s only in recent years that we’ve seen organizations starting to replace traditional hardware tokens with software versions. The driving force behind the switch being that, now, most people have a smartphone in their pocket capable of running apps.

Software tokens do have some significant advantages over their hardware-based counterparts – for both organizations and end users. For example, you can’t lose a software-based token, feed it to the dog, or put it through the wash. OK, perhaps you can still do all these things with your smartphone, but then it’s just a case of re-provisioning the app. Also, for geographically disperse organizations, they can be sent electronically – no waiting for shipping or battling with reams of customs paperwork just to get that token to the other side of the world.

There’s an App for That!

The explosion in apps for business use presents a problem for authentication when using a token app on the same device. If you’re using apps on your smartphone to access corporate data and rely on another app on the same device to be the ‘something you have’, is that really two-factor authentication?

What if you’ve left your smartphone on the plane, having removed the password so you could watch a movie? You’re now down to just a single factor to gain access to confidential data, and probably regretting setting the other factor – the ‘something you know’ – to ‘1234’ so you could type it easily.

Technology could be the answer to this unfortunate scenario. Earlier I discussed software-based tokens on mobile devices, but this just transports last century’s technology to the smartphone. New solutions are now coming to market that don’t rely on ‘something you have’, but can still utilize these mobile devices.

“Our research tells us technology vendors are embracing the smartphone to develop new innovative ways to leverage its characteristics for authentication purposes”, says analyst Alan Goode. “Some of these technologies are at an emerging stage and we don’t expect them to be deployed in large numbers in the short term, but they give us an indication of the direction the authentication market will go: smart, agile, flexible solutions that will create strong authentication services that can be embraced by the many, not the privileged.”

Smartphone Alternatives

One evolving area involves employing biometrics on smartphones to authenticate users based on physical attributes or behaviors. This moves the second factor to ‘something you are’ or ‘something about your behavior’. Biometric authentication on smartphones is still in its infancy, but there are several vendors coming up with potential solutions.

When we think of biometrics, most think of fingerprints. Most smartphones don’t come with a built-in fingerprint reader, but there are companies producing clever iPhone cases that incorporate fingerprint readers, such as the Tactivo iPhone case. But until these capabilities are built into the phones, they are unlikely to take off due to cost and the added inconvenience of using and managing the extra hardware involved.

One biometric that has the potential to work across all types of smartphones is voice, which uses the device’s microphone to capture biometric information. Everyone has a voiceprint that allows them to be uniquely identified. The simplicity of using just the characteristics of your voice to authenticate is very appealing. Vendors, including Nuance – the technical brains behind iPhone’s Siri voice recognition – are beginning to offer toolkits (DragonID) for app vendors that allow them to incorporate this technology into applications.

All About Risk

What about a technology that could authenticate you silently in the background, and provide a similar level of assurance that you are who you say you are?

This is where risk, or contextual-based authentication, comes into play. This technology observes user behavior, how often they authenticate, from where in the world, and from what device to calculate a risk score each time. This combination of multiple factors is very powerful in assessing a user’s identity, and the smartphone is the perfect device to capture the information required. Most have a GPS receiver built in, so they know where you are at all times.

“The context of a user’s access request is important when considering risk-based analysis”, explains Bob Tarzey, analyst and director at Quocirca. “Using advanced security intelligence correlations, an access request can be checked against what is going on elsewhere or has gone on recently. A risk score is given based on how much deviation from a normal authentication session there is.”

If the score that is generated when a user tries to gain access to their information is within the acceptable level, then the user will be allowed to authenticate with the standard username and password. However, if a user who normally logs in from home each evening in London is suddenly asking to login from China on a Sunday evening, then they will generate a higher score. This higher score would either deny the user access or trigger some other method of authentication, such as an OTP sent to the user’s phone.

Securing the App

There are significant barriers to the adoption of both biometrics and risk-based authentication technologies on smartphones. Both require that the apps and smartphones have these technologies integrated. This can work when vendors produce integration kits for app developers, and the app developers see the business case for a higher level of security; but this is going to seriously limit the apps that you can allow your users to run.

Do you want to be the one that tells the CEO he can’t use the amazing new mind-mapping apps he’s been showing off to everyone because it doesn’t support your authentication technology? No, me neither. The age of Bring Your Own Apps is here – and it’s going to be even more difficult to avoid than Bring Your Own Device.

The Token is Dead – Long Live the Token!

There’s no doubt that the use of two-factor authentication is expanding and that we rely on smartphones as business tools to get access to sensitive data. While the increased convenience and decreased cost of using the smartphone as the replacement for hardware tokens is a valid approach, unless we move away from the traditional ’something you have’ factor, we’re increasing the risk of our data being compromised.

Less security and a cheaper solution might be the right thing for some organizations or users, and that’s fine as long as we acknowledge the risks. However, having explored some of the alternatives that vendors are proposing – including software tokens, biometrics and risk-based authentication – there is no clear winner for exploiting the smartphone as a factor in the authentication experience.

Maybe that’s why the hardware token is still going strong. It doesn’t require app developers to rewrite their apps from scratch, and the hard token provides us with the level of security assurance we want and need. We’ve been carrying tokens around for 25 years; I wonder if they’ll make 50?

Authentication expert Grant Le Brun heads up the research labs at Signify – an authentication services vendor – that provides a range of 2FA hosted services. Under his direction, the labs provide clear, independent knowledge and expertise of authentication and other related technologies. Prior to this, Le Brun was a systems engineer at Signify and, before that, a technical consultant for Cambridge Assessment, which owns and manages Cambridge University’s three exam boards.

What’s hot on Infosecurity Magazine?