For those who work in the information security space, RSA’s SecurID tokens, with their red and blue color scheme, are as iconic as a BlackBerry smartphone.
Carrying a two-factor authentication token denotes a person, or a business, that takes security seriously. It can even be a status symbol: in government and banking circles, SecurID tokens are mostly the preserve of senior staff, or those with mission-critical tasks.
Then, in March of this year, RSA suffered a security breach that shook confidence in its system, and the company was forced to admit that some customers’ networks might be more vulnerable to external penetration (see box on p.31). The breach prompted some businesses to revisit token-based authentication, already under fire from some quarters for its cost and complexity of deployment, with some experts suggesting that the authentication token’s days are numbered.
|"With a hardware token, if you lose it you can be without the ability to log into your corporate network, sometimes for days"|
|Stephen Howes, GrIDsure|
Certainly, there is growing interest from security professionals in alternative forms of multi-factor authentication.
Although alternative two-factor authentication systems such as biometric IDs have drawbacks of their own − primarily around user acceptance and accuracy – software, or smartphone-based authentication systems, as well as “out of band” technologies that deliver one-time codes by text message, have been gaining ground over the last few years.
Their proponents argue that such systems are cheaper, more flexible, and easier to manage than the traditional hardware tokens.
“The RSA story has forced the market to move ahead faster than we had been expecting. The use of phones as tokens is happening more quickly than we had expected”, says Eric Domage, program manager for security products and services at IDC, the industry analysts.
A Token Presence
Strong, two-factor authentication itself remains a relatively under-used technology, with even those companies that utilize it deploying it only to a minority of users. RSA itself says that the number of its tokens in use by enterprises ranges between 10m and 20m units, with Gartner reporting that the vendor holds some 70% of the market; worldwide the number of one-time code tokens is put at 100m units, including those issued to consumers, for example, for online banking.
The size of the market for tokens is limited by the cost of deployment, and their relative complexity when it comes to managing systems.
Physical tokens, whether from RSA or other vendors, are relatively high-cost options, with tokens selling at between $80–$100 (£50– £60). Some analyses put the total cost of ownership at ten times that amount, which includes authentication server licenses, and certificates.
|"Physical tokens have been successful… we are not seeing people throw them away"|
|Seamus Reilly, Ernst & Young|
Software-based tokens are cheaper – the PC or smartphone application is often free – and deployment much simpler, supporters argue. “With a hardware token, if you lose it you can be without the ability to log into your corporate network, sometimes for days”, says Stephen Howes, CTO and founder of GrIDsure.
Both IDC and Gartner, meanwhile, are seeing stronger take up of software, especially phone-based tokens, among mid-sized businesses, and for banks and other organizations that need to authenticate large numbers of consumers.
“We have been seeing a shift in the way one-time passwords are delivered over the last three to four years”, says Ant Allan, research vice president at Gartner. “We are increasingly seeing the emphasis on smartphones and tokens via SMS. The user experience is better, and you don’t have to support the device.”
The logistics of deploying large numbers of one-time password systems appear to favor software, and especially smartphone apps, over traditional tokens. “Users do tend to take more care of their phones and it eliminates the cost of forgotten or lost tokens”, suggests Allan.
Use and Misuse
But if alternatives to authentication tokens are gaining ground, fears of a backlash against token-based systems following the RSA security breach seem unrealized.
According to Seamus Reilly, head of information security for Northern Europe at Ernst & Young, clients have been asking for guidance following the breach, but this has not changed their policies on token use or deployment. In fact, other IT issues, such as the trend of employees using personal devices for work, is prompting businesses to think about using two-factor authentication more widely.
|"The RSA story has forced the market to move ahead faster than we had been expecting"|
|Eric Domage, IDC|
The trouble with tokens appears to stem at least in part from their very visibility. Boards, and even some chief security officers, appear to have placed too much reliance on a system, designed to improve authentication, to solve security issues it was never intended to address. Tokens do not provide encryption or protect against malware, and without other security measures in place, organizations’ networks will remain vulnerable if a token and its PIN fall into the wrong hands.
“People have a propensity to buy security on the strength of a label, and there are misconceptions about the level of security that a token allows you to achieve”, says John Walker, a member of the ISACA Security Advisory Group. He points to cases where companies deploy tokens to their mobile computer users, but fail to turn on other security measures, such as using the PC’s trusted platform module. “Companies deploy an RSA token or a smartcard and expect it to do everything, and then multi-layer security becomes single layer”, he says.
See Security, Think Security
Then there is the need to deal with the changing threat landscape. Organizations using tokens or other one-time password systems for mobile or remote workers now face threats that were not on the agenda three or four years ago, such as man-in-the-middle, and especially, man-in-the-browser attacks. As Mickey Boodaei, CEO of Trusteer, points out, tokens can only help prevent these attacks if they are used together with other security measures, such as URL checking and online activity monitoring.
|"The best application for tokens remains when you need stronger authentication than a password, and it is not practical to use biometrics"|
|Bruce Schneier, BT|
Other experts agree. “The best application for tokens remains when you need stronger authentication than a password, and it is not practical to use biometrics”, says Bruce Schneier, chief security technology officer at BT. But even after the RSA breach, the odds of a token failing, he says, remain low.
Psychological factors, too, come into play. At Ernst & Young, Seamus Reilly points to research that suggests physical tokens are slightly more secure than software alternatives, but also to the added degree of reassurance the user derives from the token itself. Users issued with tokens become more aware of the security issues around the data they access, and usually take more care with security as a result.
“Physical tokens have been successful… we are not seeing people throw them away”, he concludes.
In March this year, the market leader in token-based authentication was targeted by hackers.
RSA fell victim to an advanced persistent threat (APT) attack, which succeeded not only in penetrating RSA’s computer network, but in extracting data related to the firm’s SecurID two-factor authentication products, in particular the physical tokens.
According to the company, the stolen data will not give hackers direct access to RSA customers’ systems but could make them more vulnerable to other forms of cyber attack.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack”, RSA CEO Art Coviello wrote to customers at the time.
Affected companies have been contacted by RSA, and given advice on bolstering their security.
Information stolen from RSA is believed to include the so-called “seed values” of customers’ tokens, although RSA has neither confirmed nor denied this.
A hacker equipped with seed values could use these to create a valid, SecurID one-time passcode; the algorithm used to generate the passcodes is already known.
Customers with physical tokens are believed to be the most vulnerable, as the seed values for the tokens are fixed; with RSA’s software-based tokens, the customer controls − and is able to change − the seed values. However, hackers are not thought to have obtained information on which tokens RSA issued to specific customers, so even if a hacker group created a valid passcode from the seed values, it would be of little use unless it could identify which systems the passcode could be used to penetrate.
That is possible. “If a hacker captured a user’s one-time password they could compare this against the generated values and trace their organization”, warns Ant Allan, a security expert at Gartner.
Moreover, the seed values for physical SecurID tokens are believed to have been batched, rather than randomized. That raises the risk that if hackers obtain details of one token belonging to a specific organization, they could potentially use those details to match other stolen seed values to that organization’s other tokens.
Such an exercise would, however, require significant computing resources, especially if a hacking group hoped to identify a one-time code by scanning online traffic. Also, businesses can close down the vulnerability by replacing any compromised tokens.
According to industry sources, some businesses have now been issued new SecurID tokens by RSA to do just that. Users, for their part, are being warned to take much greater care over their token PINs and serial numbers, as hardware tokens are now considered to be sensitive.
RSA, for its part, says it has learned from the attack. “It is fair to say we are seeing a revisiting [of security threats]... it might seem too much of a buzzword until it happens to you, but advanced persistent threats are real”, says Sean Brady, RSA’s product marketing manager for identity protection and verification.
Read RSA CEO Art Coviello’s open letter to customers.