There is an often-used phrase that the stars have aligned but, in 2011, it is the technology that has come together to hammer the final nail into the physical tokens' coffin. The cynical among you would argue that this statement has been made before and, yes, I concede that tokens have survived and are still prevalent. So, why is this year different? Let's examine the evidence.
Just before we do, let's take a quick trip down memory lane:
What does this demonstrate? Nothing lasts forever, and two-factor authentication isn't any different. It too has experienced advancements, from the original complex and time-consuming challenge tokens of the 70s to the time-synchronized tokens of the 80s. Thirty years later, it's as if time has stood still, as the majority of physical tokens still rely on this out-dated technology, but the tide is turning.
If it's not broken, why fix it?
The fact is that there are a number of issues with their utilization, some of which have been around since their introduction 30 years ago.
It's time to present the evidence:
SMS isn't new, so what's changed?
In 2000, the number of mobile phones started to sharply increase. In fact, according to gsmworld.com, there are over 4,947,400,000 GSM and 3GSM connections globally, with the figure steadily increasing every second. By the time you're reading this, it wouldn't surprise me if that figure had topped 5,000,000,000.
Utilizing SMS technology, any mobile phone can be used as an authentication token. A passcode is sent to a user's device, eliminating the need for a physical token. Other enhancements include the option of reusing a user's existing password instead of remembering a separate PIN.
However, SMS technology alone isn't the answer as there have been instances when it has proved to be unreliable. In a small number of cases, estimated at 4 percent, SMS messages can take longer than one minute to get through. Other issues could be that the network is temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room. It is this argument that has saved physical tokens in the past - but it can no longer stave off the Grim Reaper's scythe.
With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.
I've invested far too much in tokens to change now
It's always going to be hard to justify writing off an investment. Yet that's the sensible thing to do if you don't want to continue hemorrhaging money supporting an old technology:
Goode Intelligence recognizes that pre-loaded codes are changing the playing field predicting that "40 percent of organizations plan to deploy services that will enable employees to use their mobile phone as an authentication device by the end of 2011."
This is substantiated by our own recent poll, conducted between November last year and January, with 146 people asked: Should SecurEnvoy add support for hardware tokens?' With an overwhelming 98 percent responding no, it's not just me that believes the physical token is dead.