Comment: 2011– The Year Tokens Died

Kemshall believes that 2011 is the year that the Grim Reaper will come calling on token-based authentication
Kemshall believes that 2011 is the year that the Grim Reaper will come calling on token-based authentication
Andrew Kemshall, SecurEnvoy
Andrew Kemshall, SecurEnvoy

With an increasingly mobile workforce and ID and data theft soaring, companies are going to demand their staff employ two-factor authentication for network access. The preferred solution for almost 30 years has been the loyal physical token but, in my opinion, 2011 is going to be the year of its demise. Ninety-eight percent of my customers agree that using tokens is an outdated pain, and that using their own phones is definitely the preferred route as an access authentication tool.

So what evidence do I have to prove that the physical token will be dead by the end of the year? (And the RSA breach has just added to its demise.) Let’s examine the evidence.

Just before we do, let’s take a quick trip down memory lane:

  • During the 1970s, tape cassettes were the medium of the day
  • In the 1980s, VHS cassettes reigned supreme
  • The 1990s saw the introduction of DVDs
  • And the millennium brought with it the BluRay Disc.

For thirty years, little has changed with the physical token, as it still relies on out-dated technology.

If It’s Not Broken, Why Fix It?

Physical tokens have been great for more than three decades, but they are far from perfect – it’s time to present the evidence:

  • Right from the start, token deployment has proven time consuming. For 1000 tokens to be distributed, with many sent using a postal system to remote workers, it will take six months to complete.
  • 10% will be broken, misplaced or stolen and need replacing each year
  • Each token typically has a life span of between three and five years, after which it will need replacing
  • End users will forget their token – even with the type designed to be added to a key ring – wasting their time and the help desk’s time as well
  • A physical token system requires ongoing administration, such as pin management, re-synchronisation and replacing lost or broken tokens
  • Third-party contractors will often find themselves carrying around a number of tokens for their various clients and having to work out which one is the right one for each system.

So the stark reality is that many organisations will make the decision that the security offered by two-factor authentication isn’t justified anymore, taking into the account the amount it costs to deploy them. So what else is there?

SMS Isn’t New, So What’s Changed?

In 2000 the number of mobile phones in use started to sharply increase. In fact, according to, there are over 4,947,400,000 GSM and 3GSM connections globally, with the figure steadily increasing every second. By the time you reading this it wouldn’t surprise me if that figure had topped five billion.

Utilising SMS technology, any mobile phone can be used as an authentication token. A passcode is sent to a user’s device, eliminating the need for a physical token. Other enhancements include the option of re-using a user’s existing password instead of remembering a separate PIN.

However, SMS technology alone isn’t the answer, as there have been instances when it has proved to be unreliable. In a small number of cases, estimated at 4%, SMS messages can take longer than one minute to get through. Other issues could be the network is temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room. It is this argument that has saved physical tokens in the past – but it can no longer stave off the Grim Reaper’s scythe.

With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.

But I’ve Invested Far too Much in Tokens to Change Now

It’s always going to be hard to justify writing off an investment. Yet that’s the sensible thing to do if you don’t want to continue haemorrhaging money supporting an old technology.

For starters, it is estimated that moving to SMS authentication will reduce ongoing running costs by 40–60%, and they only last for between three and five years. With an SMS system, the majority of users will already have a mobile phone. If for any reason a user does not have a mobile phone, a voice text can be sent instead to a number stored on the system.

There is the argument that people do misplace their mobile phones, but this is also true for physical tokens. It is people’s attachment to their mobile that is the differentiator, as research by YouGov on behalf of SecurEnvoy recently revealed that a third of 2000 people interviewed would notice they’d lost their mobile phone within 15 minutes, and 60% would within the hour. The lack of an emotional attachment to a physical token can mean its loss will not be discovered until the user actually needs to use it, which could be hours, or even days, later.

Other benefits of using automation: an SMS system can be set up in a day (an average of 300 users per minute) instead of six months. The existing employee database is used, with mobile numbers automatically identified. For records where a number is not listed, an email is automatically sent requesting the user to self enroll.

And, finally, tokenless two-factor authentication substantially reduces a company’s carbon footprint. It would require 1673 trees to offset the emissions created in deploying 3000 tokens.

Phones have, therefore, become multifaceted functional devices and fantastically inexpensive resources for employers to use as a security device that can keep their data secure using the latest and smartest SMS authentication technology. It’s my view that tokens have certainly had their day and will slowly disappear as the year goes on.

Andrew Kemshall is the co-founder and technical director of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Kemshall worked for RSA as one of their original technical experts in Europe, clocking over 15 years of experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next-generation authentication software.

What’s hot on Infosecurity Magazine?