Separate hardware no longer needed for two-factor authentication
By Meredith Gonsalves, Contributing Editor, AVISIAN Publications
In a digital age where more people are succumbing to the smart phone phenomenon and the desktop computer has become a thing of the past, the online world is literally at our fingertips. Technology has revolutionized the way the online market place conducts business and in turn enabled consumers to operate within this marketplace with ease and convenience.
Never again will an individual have to wait to access a computer to manage their bank account, access an office file or make a purchase on EBay. These functions are available on a variety of smart phones sweeping the nation including the popular iPhones and Blackberries. However consumers and enterprises have found that this convenience comes with a price. Security breach and identity theft pose even more of a threat now with increased accessibility to online networks.
User names and passwords, as well as other forms of single-factor authentication, are fraught with issues but security companies have struggled to deploy easy ways for consumers to achieve higher security. Two-factor security–something you have in addition to something you know–has commonly been used by corporations to protect network access.
The second factor has traditionally been a one-time password (OTP) token that generates a random key to be entered along with user name and password. Today these separate hardware tokens are being replaced by software loaded on to mobile devices like iPhones and Blackberries. The software works the same as the hardware token with the device generating the random number or OTP.
Companies–such as RSA, Verisign and Vasco–that traditionally sold the hardware tokens are beginning to offer the software for mobile devices.
The infrastructure that would enable a consumer to use these two-factor authentication for access to bank accounts or retailers isn’t in place. A study by Javelin Strategy showed weak customer satisfaction with the hardware token. “We consistently found hardware tokens ranked at the bottom of the list. From a customer standpoint, they simply found it ineffective,” said Robert Vamosi, fraud and security analyst at Javelin.
The new software token is said to eliminate some of the cost and convenience concerns. Individuals no longer have to carry around a separate token because the software is embedded in the smart phone. Vasco, VeriSign Technologies and RSA have each released a software-based technology for mobile phones. Javelin Strategy recently rated VeriSign’s VIP Access and RSA’s SecureID systems “Best in Class” for authentication technology. Both companies have claimed that this development has changed the way consumers use two-factor authentication security.
“People love the merging of the two devices. The great thing about [the software token] is that it is connected to something you have every day, your phone,” said Rachael Stockton, principle product manager at RSA.
How it works
OTP systems require two components: the credential that consists of either the hardware token or an application stored on the phone and the back end system that validates the credential.
The end user registers the credential with their username and password within the enterprise. When the end user accesses an application, he or she provides the username and password along with the one-time passcode from the credential.
After entering the passcode into a site, it’s checked against the back end system to determine if access should be granted or a transaction approved. The back end systems need only validate the second factor–thus it can be an anonymous service that has no personal information or username/passwords.
The mobile software token consists of two parts: the physical application that is downloaded to the smart phone, and the “seed” or power behind the application. The seed generates a new pass-code every 60 seconds without worry or bother to the user. “You can have a case where a user isn’t even aware that the software is working for them because there is no typing involved, ” said Kerry Loftus, vice president of authentication at VeriSign.
In addition, the seed enables the software to be re-accessed in the event that the phone is lost or broken. Compare this to the hardware token where if lost, a user would have to purchase a new one. This software token requires a one-time purchase upon downloading along with a yearly service fee, however RSA and VeriSign claim overall cost will decrease because there is no cost of hardware replacement.
The seed in both the VIP Access from VeriSign and SecureID from RSA has embedded all the functionalities of the hardware token, so the level of security is the same. The added convenience of software however, has mainstreamed the product. Enterprises that originally used the hardware token now see the value in migrating to the software tokens, according to VeriSign. Alternatively both VeriSign and RSA have experienced companies who were initially turned off by the cost of the hardware token but are now interested in utilizing the software token.
“Originally we saw popularity among the service industries: consulting, accounting, law and financial institutions. Then the health care and pharmaceutical industry showed interest. Now we find it to be horizontal, where everyone is beginning to use the software,” said Stockton.
An increasing number of enterprises are using blackberries and iPhones as business tools and are therefore looking to accommodate these newer devices while maintaining the security of their existing systems.
Stockton attributes the pick up in sales to the smart phone craze. When the new iPhone was released RSA saw an immediate reaction of customer base interest, “We were getting calls from existing and potential customers asking if the iPhone would support SecureID,” said Stockton.
This expansion has made it easier to apply these tokens to a variety of mobile systems, and therefore reach a much larger consumer demographic.
When it comes to reaching the general consumers, a study by Javelin Strategy found that customers rated the two-factor authentication technology the most effective security solution, 14% saying it would increase their online shopping. Javelin Analyst Vamosi said, however, that in order for the system to take off validation from a big player like Amazon for instance, would be necessary to mainstream the software token.
Stockton agreed saying that the mobile token will really increase Web purchases if given the option by more and more retailers.
Vamosi says it may take sometime for widespread adoption of the product, “it is kind of like PayPal where it existed for a while and then took off after big players implemented it.”
It is the usability and convenience of the mobile token that has attracted the positive response, and the popularity of the smart phones that have broadened the interest among new industries and consumers. The deployment of tokens on mobile phones enables users to passively protect their secure information when banking, shopping or conducting business online, on a device that no one leaves home without.