There is an often used phrase that the stars have aligned but, in 2011, it is the technology that has come together to hammer the final nail into the physical tokens’ coffin. The cynical among you would argue that this statement has been made before and yes, I concede that tokens have survived and are still prevalent, so, why is this year different? Let’s examine the evidence.
Just before we do, let’s take a quick trip down memory lane:
- During the 70’s tape cassettes were the medium of the day
- In the 80’s VHS cassettes reigned supreme
- The 90’s saw the introduction of DVDs
- And the millennium brought with it the BluRay Disc.
What does this demonstrate? Nothing lasts forever and two factor authentication isn’t any different. It too has experienced advancements, from the original complex and time consuming challenge tokens of the 70’s to the time synchronised tokens of the 80s. 30 years later, and it’s as if time has stood still, as the majority of physical tokens still rely on this out-dated technology but the tide is turning.
If it’s not broken, why fix it?
True, there are few technologies that have stood the test of time as well as physical tokens have, but that’s not to say they’re perfect.
The fact is that there are a number of issues with their utilisation, some of which have been around since their introduction 30 years ago.
It’s time to present the evidence:
- Right from the start, token deployment has proven time consuming. For 1000 tokens to be distributed, with many sent using a postal system to remote workers, will take six months to complete.
- 10% will be broken, misplaced or stolen and need replacing each year
- Each token typically has a life span of between three and five years after which it will need replacing
- End users will forget their token – even with the type designed to be added to a key ring, wasting their time and the help desks
- A physical token system requires ongoing administration, such as pin management, re-synchronisation and replacing lost or broken tokens
- Third party contractors will often find themselves carrying around a number of tokens for their various clients and having to work out which one is the right one for each system.
- The stark reality is that many organisations will take the decision that the security offered by two factor authentication isn’t justified against this level of investment.
SMS isn’t new so what’s changed?
In 2000 the number of mobile phones started to sharply increase. In fact, according to gsmworld.com, there are over 4,947,400,000 GSM and 3GSM connections globally with the figure steadily increasing every second. By the time you’re reading this it wouldn’t surprise me if that figure had topped 5,000,000,000.
Utilising SMS technology any mobile phone can be used as an authentication token. A passcode is sent to a user’s device, eliminating the need for a physical Token. Other enhancements including the option of reusing a user’s existing password instead of remembering a separate PIN.
However, SMS technology alone isn’t the answer as there have been instances when it has proved to be unreliable. In a small number of cases, estimated at 4%, SMS messages can take longer than 1 minute to get through. Other issues could be the network is temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room. It is this argument that has saved physical tokens in the past - but it can no longer stave off the Grim Reaper’s scythe.
With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.
I’ve invested far too much in tokens to change now?
It’s always going to be hard to justify writing off an investment. Yet that’s the sensible thing to do if you don’t want to continue haemorrhaging money supporting an old technology:
- For starters, it is estimated that moving to SMS authentication will reduce ongoing running costs by 40 – 60%! This is substantiated by Gartner with its belief that “SMS OTP approaches the security of a dedicated hardware token, but at a lower cost and with higher convenience.”
- Due to their lifespan, you’ll have to replace all your tokens within the next three to five years. With an SMS system, the majority of your users will already have a mobile phone. If for any reason a user does not have a mobile phone, a voice text can be sent instead to a number stored on the system.
- There is the argument that people do misplace their mobile phones but this is also true for physical tokens. It is people’s attachment to their mobile that is the differentiator as research by YouGov recently revealed that a third of the population would notice they’d lost their mobile phone within 15 minutes and 60% would within the hour. The emotional attachment to a physical token can mean its loss isn’t discovered until the user actually needs to use it which could be hours, or even days, later!
- Using automation, an SMS system can be set up in a day (an average of 300 users per minute) instead of six months. The existing employee database is used with mobile numbers automatically identified. For records where a number is not listed, an email is automatically sent requesting the user to self enrol.
- It can offer substantial benefits for organisations looking to reduce their carbon footprint. It would require 1673 trees to offset the emissions created in deploying 3000 tokens.
Goode Intelligence recognises that pre loaded codes are changing the playing field predicting that “40% of organisations plan to deploy services that will enable employees to use their mobile phone as an authentication device by the end of 2011.”
This is substantiated by our own recent poll, conducted between November last year and January, with 146 people asked: ‘Should SecurEnvoy add support for hardware tokens?’ With an overwhelming 98% responding no, so it’s not just me that believes the physical token is dead.
About Steven Kemshall
Steven Kemshall is the Co-founder and Technical Director of SecurEnvoy. Before setting up SecurEnvoy which specialises in tokenless 2 factor authentication, Steven was worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two factor authentication in the fields of architecture, design and development of next generation authentication software.