Dual-factor authentication (also known as two-factor authentication or T-FA) is the recommended security standard for enterprises across verticals. The RBI has also set T-FA as a guideline for banks to offer mobile payment services. The T-FA, in addition to a password, also includes a dynamic PIN to make the IT system access procedure more secure.
The T-FA generally works well within enterprises; however, concerns crop up when employees on the go try to access corporate data remotely. Till now, the token-based model for remote access of corporate data was prevalent. However, after the introduction of the mobile-based token-less model, tokens have been facing a tough challenge as a mobile-based system is more reasonable considering the cost of deployment and convenience factors.
“On the cost side, according to a study done about two to three years after deployment, the token-less model is up to 50 percent more cost effective and in some cases about 60-65 percent more effective,” says Nitin Kathuria, director-Operations and Strategy, Lancers e-Risk Solutions, the Indian reseller for SecurEnvoy, the company that provides mobile-based T-FA.
Abhijeet Upponi, head-IT, Fullerton, said that the IT architecture at Fullerton is ready to provide mobile-based dual-factor authentication services to around 4,000 employees operating from about 800 branches in India. The project will be rolled out very soon. “Due to the credit crunch in the market, we have put the project on hold; however; once the situation settles down we will be ready to implement the service,” said Upponi.
Synchronisation – A Major Hurdle
The main challenge faced by companies, currently using token-based authentication, is that users often forget to carry the tokens or for that matter the card reader. The user has to carry the card reader with him while accessing the corporate systems via a laptop or a desktop or through any other PC. The probability that users will forget mobile phones is far lesser.
One of the other fundamental challenges facing companies that opt for token-based authentication is the tedious registration process involved including the hardware and software requirements followed by synchronisation hurdles. The token-less model, on the other hand, allows approximately 1,000 registrations per hour and that too without any additional hardware deployment.
Another factor is the cost of ownership, which is too high in case of the token-based approach. For example, in case if the token is lost, physical delivery of the new token and a repetition of the registration process is time and resource consuming and has a cost factor as well (the cost of the token). The token-less approach does away with these practices.
A technical challenge associated with the token-based model lies in synchronising the server with the passcodes generated by the token every time it is used. In the token-less model, the server automatically synchronises with the passcode generated by the mobile. The authentication requests sent to the server, thus, are processed automatically. The token-based system uses Pseudo random number generator while the token-less one generates a real time random number, which proves to be more secure.
Pros and Cons
Currently, authentication models in use include tokens, USBs and smartcards among others. These have been around for over twenty years. The models have evolved with time, however, the token-less model (mobile-phone based) is easier to adopt from the user’s perspective without compromising on security.
One of the major advantages of the token-less model is the ease of deployment as compared to token-based authentication. The user does not have to download separate software on the mobile. The service is SMS- based with various customisable features to offer the same quality of service in areas having weak signals. The SMS travels on the signalling channel having 128-bit encryption and not on the data channel. The point that can go against the SMS (as a password delivery medium) is the possibility of late delivery in case of a weak signal.
However, if the service provider does not operate in the country where the user is travelling (or has no partnership with any other service provider within that country), it can prove to be a disadvantage. “In case of the token-based model, there is no such constraint as it has an algorithm that keeps generating a one time passcode every time the user accesses the system,” says Saurabh Kaushik, manager, Information Security, CRISIL.
The token-based model requires extra pieces of hardware to be set up before the registration of users can be done whereas the token-less model offers mass user registration in minimal time using the Windows 2000-2003 server that is already being used by many organisations. The solution also supports integration with Web-based portals for Internet- or Intranet-based applications, irrespective of the type of Web server being used (like apache, UNIX or any other Web server).
“I had the experience of implementing this service during my previous job engagement ; however, it was restricted to the administration level there. They were accessing the services on PDA devices where the user had to enter a PIN and an additional passcode to access the corporate systems,” says Upponi.
A Mixed Perspective
Even though the token-less authentication system seems to be gaining popularity, there are some enterprises sticking to the token- based model while adopting a ‘wait and watch’ strategy. Yateen Chodnekar, head IT, Deutsche Bank, says, “We have provided RSA tokens to about 1,000 employees across India; however, there are no plans to adopt the token-less model unless it is proven, trusted and emerges hack proof.” The RSA tokens allow dual factor authentication using a secured ID and a password.
Subhojit Roy, CIO, SBI Mutual, has a different perspective. He says that the data generated either through a token-based or token-less system should be divided on critical and non-critical basis. Organisations should not allow access for all corporate systems; they should select those that the mobile workforce requires and offer limited access. There should be a proper trade-off between data access and security. According to him, SBI Mutual may adopt the token-less model in the months to come.
While the token-less model versus the token-based model debate rages on, Lancers e-Risk Solutions is planning to go a step ahead and launch managed secure services authentication in India by the year end targeted specifically at SMEs.