Is Security Being Strangled by the upcoming Token Necklace?securenvoy 18/10/2011, Archive
SecurEnvoy looks at the phenomenon of the physical token, and asks whether increased application of these physical tokens could create user apathy
You don’t need me to tell you that our online identity is under attack. Security is a major issue as every organisation struggles with the precarious balancing act of opening up its perimeter, to facilitate third party interaction, while defending this virtual boundary.
Before continuing let’s first take a moment to capture the enormity of the problem:
- We want to be able to work wherever we happen to find ourselves rather than be restricted to a physical building
- We want to use what ever device we happen to have in our hands
- We want to do it 24 hours a day: online banking, go shopping, order repeat prescriptions and complete tax returns - the list goes on
For each of these tasks, the likelihood is we will need to create a user account to do them. Yet all too often it’s been proven that the basic protection afforded by a username, in combination with a password, is woefully inadequate. I’m sure I’m not alone in receiving emails from friends, suggesting I need ‘enhancements’, from them having had their email account again compromised.
For organisations the repercussions can be far more damaging. The frequency of data breaches is just one indication that this is a growing problem that many are yet to get to grips with.
So, how can organisations strengthen these vulnerable virtual applications and access points?
Two Kinds of Evidence
From a security perspective, the simple concept is that you trust the person accessing the application - you just need them to be able to prove that they are who they claim to be. As we’ve witnessed, passwords can be cracked or even guessed, so a stronger model is needed.
This is where two-factor authentication has stepped up to the plate. In its very basic sense, it is the combination of two different elements from a choice of three:
- Something you know – such as a pin or password
- Something you own – such as a key, token or the chip embedded in a credit card
- Something specific to the person – such as a fingerprint, or retina
I’d like to clarify, at this point, that entering certain characters from a memorable phrase does not constitute two-factor authentication. It’s still something you know so it’s just duplicating something you know!
While something specific to the person - or biometrics as it’s widely referred, is considerably foolproof, it requires hardware making this element often a non-starter. The reason is a physical reader would need to be installed at every entry point making it either very expensive, or impractical, when you consider the flexibility our technical society demands. There’s also the further complication of designing a solution today that’s capable of accommodating the devices of tomorrow.
It’s not surprising, therefore, that when introducing a two-factor authentication solution it is the first two elements that are the most common combination employed.
Token necklaces – how to access the High Street
However, while the amalgamation of something you know and something you own seems a no-brainer, the reality is less practical – because it’s becoming the time of the token necklace ready to weigh you down!
Many employees, who access their corporate network, will likely be familiar with a physical token or key. For consumers, high street banks are increasingly adopting two-factor authentication for their on-line banking services - HSBC being the most recent to supply each of its customers with, what it calls, a HSBC Secure Key.
Yet, if every organisation that allows individuals to access its systems first issues them with a physical token, that’s an awful lot of pieces of plastic – which could in time amount to dozens of physical tokens weighing you down, especially if each person has one for their bank, the NHS, HMRC for tax returns, utility companies to access and pay bills, employer, etc. etc. etc.
We’d end up as nation chained down by our token necklace.
Additionally, there’s the expense of each of these little pieces of plastic – not just in monetary terms as they’re not free, but also to the planet in production, disposal and deployment. The environmental cost for producing and distributing 4,000 tokens works out at around 4.3 million tonnes of CO2 or, for those who like a visual representation, that’s the equivalent of chopping down 240 million trees!
Physical Token Apathy
However, the biggest issue simply is end-users don’t like them.
Organisations already struggle with users either forgetting or losing their physical tokens. Each instance results in a call to a help desk to allow one-time access. In the case of a lost token, a replacement has to be issued resulting in wasted time, postage and the expense of the device.
Imagine this replicated not just for employees, but for every person that accesses your service.
What about for all of us, as consumers? The resulting frustration, from not being able to pay an electricity bill, because that particular token had been left at home. That’s assuming we can identify which one is for which service in the first place!
SMS technology is the logical alternative
We’ve made, what I’m sure you’ll agree, is a compelling case for two-factor authentication only to blow it apart but don’t get me wrong, we’re not condemning it – just physical tokens.
Practically every pocket holds the perfect key - SMS technology on your mobile phone.
Organisations can easily utilise existing mobile technology – whether corporate or personally owned, to replicate a physical token. A passcode is sent to the user’s mobile phone as a text message turning the mobile into a ‘soft’ token.
When you compare soft against physical tokens, it is estimated that moving to soft token authentication will reduce ongoing running costs by 40 – 60%!
And there’s no reason why dozens of soft tokens can’t be carried on a single device.
Finally, if you were to lose a piece of plastic you probably wouldn’t notice until you next needed it. But, if you’re separated from your phone, you notice it almost immediately.
It makes sense, therefore, that using a mobile phone as ‘something you own’ is the perfect solution.
Who in their right mind would opt instead to be strangled by a token necklace?