With the explosion of mobile devices and mass migration to the cloud enabling remote access to business applications and data, the need for strong user authentication has never been greater.
Hardware tokens were an early front-line authentication method that became quite popular. However, they have proven to be a cumbersome, inefficient method of authenticating user identities. New technologies today are more secure, more user-friendly and much cheaper to use and manage – making them a “win win win”. In addition, these solutions can also increase user productivity compared to the old token solutions. IT professionals deserve to understand all their authentication options – with or without tokens – so that they can make the best decision for their organizations.
Pre-Defined vs. Challenge-Based
Pre-issued, one-time passcodes are based on a seed file that exists somewhere. Pre-issued passcodes is what most token-based authentication technologies use. This pre-issued approach makes them very vulnerable to even simple hacking. In one form of malware attack, the users’ credentials are hijacked—including the token code — and these credentials are then sent to the hacker via instant message or other means. A pre-defined authentication code that has been stolen can then be used for a login from the hacker. This is because the original system has not seen the code, thereby making the one-time-password (OTP) solution vulnerable. That means the system’s security can be significantly compromised, and the code can be exploited.
Remote employee logins become much more secure when using a challenge-based approach to token-free authentication. A challenge- and session-based real-time authentication solution, for example, only generates a code after the user session has been confirmed and the username and password has been validated as correct. This method offers visibility into which computer the login request is coming from (the session). The solution then links the code to the computer so that the code—received via mobile phone—can only be used on the computer from which the request was initiated. That is in sharp contrast to hardware tokens that can be used from any device or computer because, unlike the session-based option, they are not tied to a computer or session. Token-based authentication or any pre-issued based solution, by their very nature, cannot match this level of security.
Counting the Total Cost
A hardware token-based system may seem less expensive at first, but hidden fees, maintenance, logistics and consultant costs are common add-ons. There are also staff costs to administrate the system. All of these elements require financial outlay and should be factored into the TCO. To determine the final TCO of an authentication solution, use this TCO calculator (http://info.smspasscode.com/tco-report) for an accurate assessment of how much your solution will actually cost.
Calculate, for example, the time lost if an employee is unable to work due to a forgotten, broken, lost or stolen token. Hardware tokens typically cost between $50-$300 just for the hardware. If you pay someone $30-$50 per hour, for example, and that employee loses one hour per month on average in lost productivity due to not being able to log in because he or she has forgotten the hardware token, that’s $600 per year in lost productivity. Your loss in productivity quickly becomes more costly than the entire solution itself.
Reclaiming Productivity
Suppose your organization introduces a solution that your system is dependent on in order to function. Then imagine that you have no way to control that dependency. The net result is typically a decrease in productivity. Should a user somehow lose a token, the user cannot log on and perform his or her job, then the company is losing productivity due to this dependency. As an IT admin, you are losing productivity as well, since you must manage the needs of those dependent on this system.
Dependencies make everyone’s job harder, so a more efficient method is to use mobile phones in the authentication process. The mobile phone is the number one item that individuals are most likely to remember to bring along with them. By using that device for authentication, you greatly increase productivity and, as described above, security as a result. By using a token-based approach, even if it were free, you would be losing money because it would negatively impact your productivity. However, by integrating a token-free approach into your system, you increase your ROI, save money and time in a single move. This will reduce downtime and lead to productivity gains.
Going Token-free for Ease and Speed
Physical tokens are cumbersome to use and easy to lose. Many IT admins have reported that their users never adapted to tokens and that tokens often went unused. In contrast, a token-free approach is much easier to use. People use their mobile phones’ texting capabilities every day, so the one-time password (OTP) received via users’ phones makes perfect sense and encourages security compliance. You can benefit from greater flexibility and convenience by implementing an authentication solution that includes multiple delivery options like SMS, voice calls and email to ensure reliability and trust in the system.
How does using an SMS to deliver the code affect the success of an authentication method as opposed to hard tokens that display the code instead? If an OTP cannot be delivered via the primary delivery method, then a failover mechanism should automatically kick in and deliver the OTP via a secondary method. For example, if the system cannot send a SMS to your mobile phone, it should try with a voice call to your landline or Skype account. This increases efficiency and certainty that OTPs will be delivered in a timely manner and that users will be able to log in. Ideally, an authentication solution should leverage contextual intelligence to automatically detect where the user is logging in from and dynamically choose the most appropriate OTP delivery method based on the user’s location. The reliability and configurability of this token-free approach offers convenience and ease of use to not only your employees but to the IT department as well.
Another benefit of token-free authentication is ease and speed of set-up. A token-based approach can in some cases take over a year to implement. Token-free authentication, however, can sometimes be implemented in less than a day.
A New Epoch in Authentication
Authentication is a business necessity, yet it cannot be treated like a mere commodity. It must be thoroughly researched to understand what will best meet your organization’s needs. Traditional token-based authentication brings with it high costs, reduced productivity, spotty user acceptance and susceptibility to even simple hacking like phishing. However, token-free multi-factor authentication reduces costs and IT burden while providing greater ease of use and security. All indicators point to the conclusion that the epoch of hard tokens is being replaced by the real-time convenience and efficiency of token-free multi-factor authentication.
About the Author
David Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions.
Edited by
Stefania Viscusi
QUICK LINKS 
