Are security tokens still relevant?securenvoy 12/03/2013, Archive
The world of IT seems to like four-letter abbreviations: WLAN, SNMP, HTML – and the latest offering BYOD (Bring Your Own Device). Accessing corporate networks and data using private end terminals has, however, been an issue that has had many IT managers and managing directors scratching their heads. “How can we enable secure access for mobile devices without endangering our data?” One suitable approach is the use of a double layer of security which involves identifying users by means of tokenless two-factor authentication. This approach combines personal log in details, as the first factor, and a dynamic passcode received by smart phone, tablet or other mobile device, as the second.
Working with private computers and other devices for business reasons is becoming increasingly common. As revealed in the latest survey by industry association BITKOM – “The most important technology and market trends according to ICT companies“, 27% of all the businesses that took part are currently focusing on the issue of BYOD. And there is also considerable interest in mobile applications (48%) and the issue of IT security in general (33%). Two important requirements clash when it comes to BYOD: for employees the greatest possible flexibility is desired, together with a straightforward login process, whilst for employers it is important to ensure the best possible security for networks and data.
Double layer of security
As IT security measures have developed, and in particular with regard to identification processes, security experts have started combining multiple mechanisms. This is the case with two-factor authentication - in order to allow unambiguous identification, at least two of three possible security factors are required, with these three factors being:
- • Something known only to the user (e.g. password or PIN);
- • A tangible item that the user alone possesses (e.g. a mobile phone);
- • Something that is intrinsically connected to the user (e.g. iris of the eye).
An everyday example is taking out money from an ATM – the customer needs his/her personal bank card and a PIN to enact a successful transaction. The drawback in this case is that the bank card (or token, in terms of corporate network terminology) must always be carried around by the user. In addition to this issue, the costs relating to the use of tokens should not be underestimated by companies. In this context, managers must take into account costs relating to initial procurement of the tokens and also for issuing replacements in the case of loss or theft.
Drawing on existing resources
Modern solutions go a step further and work on the principle of “BYOT”: Bring your own token. Instead of using additional tools, such applications make use of existing devices as access tools, with these in this particular case being mobile devices. The advantage with this approach is that smart phones have become an almost constant companion for most people anyway in their everyday lives. And at work most employees usually have their mobile phone, tablet or laptop with them.
In order to enable secure and unambiguous identification, BYOT solutions combine a “passcode factor” and a “personal log in details factor“. For the latter, the user has a personally-defined user name and password, as well as a personal access licence. And for the first factor, the user is sent a dynamically generated, one-time valid, numeric passcode to his or her mobile device, by SMS, e-mail or via an app. Companies do not therefore have to install additional software or hardware on devices, where staff use not only company devices but also private devices for accessing internal data. This avoids the risk of employees feeling that they are being imposed upon by having to install additional software on their private devices.
Integrated expiry date
When the user enters his/her passcode while logging in, that particular sequence of numbers expires as soon as it has been entered and the system automatically generates a new code and sends this to the user’s mobile device. The same principle applies in the case of incorrect entries when logging in. It is possible to define how many incorrect logins are permitted before access is completely denied. Alternatively users can be sent a re-usable passcode for a predefined length of time that automatically expires with a new combination of numbers being periodically resent one day before it is required. This replacement of codes ensures that a valid passcode is always available and that acute transmission problems in mobile phone networks do not prevent successful execution of the log in process.
Two-factor authentication in practice
A two-factor authentication approach as described here has been implemented for example at T-Mobile. The company was in fact the first mobile phone operator to implement a solution that utilises mobile telephones for remote authentication. This allows staff to identify themselves, regardless of location, using a mobile telephone, a password and a dynamically generated passcode which is sent to the mobile device. As each employee is the only person that knows both of his or her respective factors, third parties have no way of accessing the network and stealing data. A total of 15,000 employees now work with the tool, and managers have noted that this had led to significant time and cost savings, as the expensive acquisition of additional hardware tokens is not required. Furthermore, it is not necessary to conduct time-consuming training sessions.
Companies that use two-factor authentication benefit from a double layer of security, as the log in process combines a user-defined user name and password with a dynamically generated passcode plus a user licence. So even if the password is discovered by someone else, third party access is still prevented because the other factors remain unknown. Such solutions are also attractive in terms of cost, as the company only has to invest in the central application, and the expensive acquisition of additional tokens is not required.