Most of us know what Two Factor Authentication is after all it has been with us for over 25 years. But while we have all been busy things have been changing slowly and steadily, especially when it comes to choosing whether to deploy hardware, software or out-of-band tokens.
Hardware or Physical Tokens
By far the most commonly deployed in the past has been the traditional keyfob or key-ring style token, widely in use by many of us to protect our personal or business banking. The device contains an algorithm incorporating a clock or a counter, which, in conjunction with a 'seed' is used to calculate the OTP according to a unique but predictable sequence. When a user enters this number it establishes to a reasonable level of certitude that they are in possession of the token, because the server which is authenticating the user also knows the value of the token’s seed, and using the same algorithm and the time or a counter can predict the next valid OTP value.
With the arrival of smarter and more capable cellphones, an alternative to the physical token began to appear about ten years ago. These typically take the form of an ‘App’ replicating the functionality of the hardware token in software, working, in the same way, to generate an OTP from a seed value in conjunction with time or an event counter, they can even be installed on our laptops and desktop computers. These software or ‘soft-tokens’ have a few distinct advantages over their hardware token equivalents, in that instead of users being forced to carry an extra piece of hardware, our smartphones are typically with us all of the time anyway hence, we don’t need to carry anything extra. Most of us rely so heavily on our phones that any loss is noticed almost immediately, not necessarily true for our hardware tokens. In the event of loss of the phone, there is no physical cost associated with replacement of the token, just re-deploying the ‘app’. Furthermore, with the capabilities of many of today’s smartphones, we are able to protect access to them with PINs, Passphrases, face recognition, fingerprints, voice and more, adding a further layer of protection to the device. But it is only in relatively recent years that Soft-Tokens have begun to see greater acceptance, most likely because of the prevalence today of smartphones which are capable of running such applications, everyone it seems has one.
SMS – Out-Of-Band
Yet another angle opens up when we consider the use of our smartphones, in fact, any cellular phone capable of receiving an SMS text message. At the point of authentication, it is possible to deliver an OTP by SMS Text Message to the registered cell phone of the user requesting authentication, considering that the phone is something the user has, this falls nicely into the category of a second factor. Great! This sounds like a perfect solution right? Well it too has some issues, SMS is not a guaranteed delivery mechanism, and depending upon location and cellular network coverage there may be a latency issue delivering the OTP. There is also a cost associated with the SMS.
So, why are we still using Hardware Tokens?
So when considering the options described above are people continuing to use hardware tokens or are they migrating in droves towards the use of Soft or SMS tokens? Well, having the second factor available potentially on the same device from which we are requesting access to our applications and data could perhaps represent a bit of a contradiction to the concept of the second factor of something you have. If you don’t have a PIN or some form or device lock on your phone, are you any better off? The answer is somewhat subjective. Consider walking into an office environment and seeing an empty cube, next to the workstation are a set of house keys with a key fob hardware token attached. Actually, this situation is really not that uncommon, we typically dump our keys on the desk and get up to grab a coffee. Sure, our workstation is still protected by our password and screen-lock, but is this all that different to the Soft-Token on a phone without PIN protection? Attempting to compromise the software delivered to our smartphones is complex but not necessarily impossible. Many protections are in place, with vendors restricting the deployment of Apps to devices directly from their ‘Application Stores’ where we trust that careful testing and validation are performed.
If you are interested in two-factor check out Defender, One Identity’s two-factor authentication solution supporting a wide range of tokens including hardware, software, and SMS. You can also request your free starter pack, which includes 3 hardware tokens, 25 software tokens and 25 user licences for 90 days.