Tokens vs tokenless
12 February 2010
These days, it is widely accepted that two-factor authentication (2FA) is essential to secure remote access to sensitive information on the corporate network. And with the increase in remote and home working for greater flexibility, a better work/life balance and cost savings, the demand for 2FA is on the increase.
Once the decision has been made to deploy 2FA, the next question is whether to go for a solution based on hardware tokens or opt for a tokenless approach that makes use of mobile phones. Vendors that offer only a tokenless solution would have us believe that tokens will soon be replaced by tokenless authentication, which has led to much debate about the pros and cons of each. But is it really a case of one or the other?
Dedicated tokens – such as those produced by market leaders RSA – provide a one-time passcode, typically every 60 seconds, and have been the traditional approach to 2FA for many years. However, more recently, the introduction of tokenless solutions has been hyped, mainly due to their ability to deliver one time passcodes on demand to a standard mobile phone or smartphone such as the popular Blackberry. After all, most people already carry one of these devices with them, most of the time.
A tokenless solution therefore eliminates the need to carry a separate piece of hardware – albeit usually attached to a key fob – and reduces the costs and time associated with provisioning new and replacement tokens. Sounds ideal; but it’s not the full picture and the simple truth is that tokens remain the best solution for frequent users who rely on getting secure remote access to systems and information from any computer at any time.
Road warriors, home workers or systems engineers, for example, often log into many different portals every day and requesting or obtaining passcodes from a mobile phone or PDA is far too much hassle.
What’s more, tokens are not limited to a particular platform such as Windows and are not reliant on how secure a mobile phone network is, good network coverage or the battery life of the phone. They are also more robust. RSA tokens will work even if dropped from a great height or it they fall in a glass of water. The same is not true of the mobile phone.
It is much easier and reliable for frequent users to carry a token that automatically and continuously generates passcodes for immediate access. And when it comes to cost; frequent users can quickly run up SMS charges for requesting passcodes from a mobile phone or PDA.
But this is not to say there isn’t a place for tokenless authentication; it is ideal for infrequent or temporary users and for those that simply do not want to carry a separate device. As it requires an additional request stage, tokenless authentication is best suited to occasional users, contractors, part-time staff and those checking email from home, for example. It can also provide temporary Extranet access to other departments, professionals and partners or for sensitive online services such as HR, e-commerce or access to health information. Having short term remote access to the corporate network is also valuable in emergency scenarios as a result of bad weather, strikes or terrorist treats, for instance.
The reality is that it’s a case of ‘horses for courses’, depending on the organisations, the user’s working requirements and the data and applications they are accessing. In fact, for most organisations the question shouldn’t be which option to go for, but what combination of token and tokenless 2FA they need.
The ability to mix both token-based and tokenless two-factor authentication within an organisation means that authentication can be tailored to meet specific needs, budgets and working patterns. But, having realised the benefits of deploying both token and tokenless 2FA, the problem organisations will face is that most two-factor authentication vendors will only offer one or the other.
By deploying two-factor authentication as a hosted service, this hurdle is eliminated by removing all the hassle of setting up, deploying and managing both a flexible token and tokenless two-factor authentication solution. Using a cloud-based service means that organisations can reap the benefits of both options and choose the right authentication based on specific users’ needs. In addition, a hosted authentication service delivers proven security and guaranteed reliability along with a lower total cost of ownership. And when it comes to tokens, it removes any of the complexities and logistics of deploying the tokens, ensuring fast, reliable and flexible service delivery.
So yes, the death of the token is greatly exaggerated. Through the delivery of 2FA as a service in the cloud, tokens will always remain the most reliable choice for many users. While the battle between the token or tokenless vendors suggests that customers have to choose one or the other, the simple truth is that organisations need to take a flexible ‘best of both’ approach that meets the requirements of different types of user.