Comparing the Security of Traditional Tokens with SecurEnvoy


Code Visibility

Traditional Tokens

A token permanently displays a valid token code that is visible by anyone near the token.

SecurEnvoy

SecurEnvoy SecurAccess would require the mobile phone to powered on, possibly a PIN entered to unlock the phone, locate the SMS message store and find the message, open it and know what to do with the code.

 

Managing lost or compromised tokens / phones

Both tokens and SecurEnvoy solutions can be disabled from the server end once the device has been reported missing.  The question is which device would be reported missing first, a piece of plastic that is only used for remote access and the user has been forced to carry or their mobile phone that is very personal to them and frequently used.

Consider a member of your staff going on holiday and having their token stolen at the airport. They are un-lightly to miss this token until they next need to use it which could be many weeks or months. However if their phone is stolen they will realise this within hours and more importantly will make the effort to report it missing to prevent escalating costs .

 

1st Factor Options

Traditional Tokens

Must tokens typically require the use of a 4-digit PIN that never changes

 

SecurEnvoy

SecurEnvoy supports either a 4 to 8 digit PIN or reusing an existing domain password. Most customers prefer to use their domain password as their PIN.  In most cases this is their Windows Password, which is usually 6-8 characters, alpha-numeric and changes every 30 days.  Not only is this Password easier for the user to remember, it is also more secure than a static 4-digit PIN that may not have changed in years.

 

Conclusion

From a security perspective the second factor device in a two factor authentication solution should be as personal to the user as can be and if it were possible this device should be glued to them.  A plastic token, which the user is forced to carry, is only used for remote access and in many cases is only used occasionally, is not as secure as a regularly used mobile phone.  As users use their mobile phone more frequently than a token, they are more likely to know where it is and much more likely to report it missing if stolen.  If for any reason someone manages to retrieve a passcode from a users phone they will still need to know the PIN or Windows Password to logon.  The hacker will only get one attempt at getting the PIN/Password correctly, at which point the system will generate a new 6-digit Passcode to be sent to the users phone, alerting the real user to an illegal logon attempt, where as with a token the user would never know if someone had tried to use one of their codes.

Second factor devices should not be stored with the device that would be used to logon.  Many users leave their tokens in their laptop bags which is very much like gluing your car keys to you car, as opposed to a mobile phone which is almost certainly kept close to the user and separate to their laptop.