Death Knell Sounds for Traditional Tokens

Andrew Kemshall
Andrew Kemshall
Andrew Kemshall is the co-founder and technical director of SecurEnvoy.

There is an often-used phrase that the stars have aligned but, in 2011, it is the technology that has come together to hammer the final nail into the physical tokens' coffin. The cynical among you would argue that this statement has been made before and, yes, I concede that tokens have survived and are still prevalent. So, why is this year different? Let's examine the evidence.

 

Just before we do, let's take a quick trip down memory lane:

 

  • During the 70s, tape cassettes were the medium of the day.
  • In the 80s, VHS cassettes reigned supreme.
  • The 90s saw the introduction of DVDs.
  • And the millennium brought with it the BluRay Disc.

 

What does this demonstrate? Nothing lasts forever, and two-factor authentication isn't any different. It too has experienced advancements, from the original complex and time-consuming challenge tokens of the 70s to the time-synchronized tokens of the 80s. Thirty years later, it's as if time has stood still, as the majority of physical tokens still rely on this out-dated technology, but the tide is turning.

 

If it's not broken, why fix it?



True, there are few technologies that have stood the test of time as well as physical tokens have, but that's not to say they're perfect.

 

The fact is that there are a number of issues with their utilization, some of which have been around since their introduction 30 years ago.

 

It's time to present the evidence:

 

  • Right from the start, token deployment has proven time consuming. For 1000 tokens to be distributed, with many sent using a postal system to remote workers, it will take six months to complete.
  • 10 percent will be broken, misplaced or stolen and need replacing each year.
  • Each token typically has a life span of between three and five years, after which it will need replacing.
  • End users will forget their token-even with the type designed to be added to a key ring, wasting their time and the help desk's.
  • A physical token system requires ongoing administration, such as pin management, re-synchronisation and replacing lost or broken tokens.
  • Third-party contractors will often find themselves carrying around a number of tokens for their various clients and having to work out which one is the right one for each system.
  • The stark reality is that many organizations will take the decision that the security offered by two-factor authentication isn't justified against this level of investment.

 

SMS isn't new, so what's changed?


In 2000, the number of mobile phones started to sharply increase. In fact, according to gsmworld.com, there are over 4,947,400,000 GSM and 3GSM connections globally, with the figure steadily increasing every second. By the time you're reading this, it wouldn't surprise me if that figure had topped 5,000,000,000.

 

Utilizing SMS technology, any mobile phone can be used as an authentication token. A passcode is sent to a user's device, eliminating the need for a physical token. Other enhancements include the option of reusing a user's existing password instead of remembering a separate PIN.

 

However, SMS technology alone isn't the answer as there have been instances when it has proved to be unreliable. In a small number of cases, estimated at 4 percent, SMS messages can take longer than one minute to get through. Other issues could be that the network is temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room. It is this argument that has saved physical tokens in the past - but it can no longer stave off the Grim Reaper's scythe.

 

With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.

 

I've invested far too much in tokens to change now


It's always going to be hard to justify writing off an investment. Yet that's the sensible thing to do if you don't want to continue hemorrhaging money supporting an old technology:

 

  • For starters, it is estimated that moving to SMS authentication will reduce ongoing running costs by 40-60 percent! This is substantiated by Gartner with its belief that "SMS OTP approaches the security of a dedicated hardware token, but at a lower cost and with higher convenience."
  • Due to their lifespan, you'll have to replace all your tokens within the next three to five years. With an SMS system, the majority of your users will already have a mobile phone. If for any reason a user does not have a mobile phone, a voice text can be sent instead to a number stored on the system.
  • There is the argument that people do misplace their mobile phones, but this is also true for physical tokens. It is people's attachment to their mobile that is the differentiator, as research by YouGov recently revealed that a third of the population would notice they'd lost their mobile phone within 15 minutes and 60 percent would within the hour. The emotional attachment to a physical token can mean its loss isn't discovered until the user actually needs to use it, which could be hours, or even days, later!
  • Using automation, an SMS system can be set up in a day (an average of 300 users per minute) instead of six months. The existing employee database is used with mobile numbers automatically identified. For records where a number is not listed, an email is automatically sent requesting the user to self enroll.
  • It can offer substantial benefits for organizations looking to reduce their carbon footprint. It would require 1673 trees to offset the emissions created in deploying 3000 tokens.

 


Goode Intelligence recognizes that pre-loaded codes are changing the playing field predicting that "40 percent of organizations plan to deploy services that will enable employees to use their mobile phone as an authentication device by the end of 2011."

 

This is substantiated by our own recent poll, conducted between November last year and January, with 146 people asked: Should SecurEnvoy add support for hardware tokens?' With an overwhelming 98 percent responding no, it's not just me that believes the physical token is dead.



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data