– David Hald, co-founder and chief relation officer at SMS PASSCODE. says:
Mary Meeker’s Internet Trends 2014 report recently revealed that mobile data traffic rose 81 percent year-over-year, with tablet adoption growing faster than PC growth ever did. The rapid proliferation of mobile devices (including their use for business purposes), coupled with the widespread adoption of cloud-based services, is creating an urgent need for stronger user authentication.
The early winner in the remote authentication market was hardware tokens. What seemed like a good idea, though, ultimately became a user burden and a drag on productivity. In the time period since tokens were created, however, new technologies have arrived that are more secure, more user-friendly and much cheaper to use and manage. As will be demonstrated below, these new solutions can actually increase user productivity as well.
The majority of hardware tokens rely on pre-issued, one-time passcodes that are based on a seed file. This means they are vulnerable to hacking. In one form of malware attack, the users’ credentials are hijacked—including the token—and these credentials are sent to the hacker via instant message. A pre-defined authentication code can be stolen and used for another login. That means the system’s security can be significantly compromised, and the code can be exploited by phishing.
Rather than storing a seed file, then, newer authentication solutions use a challenge-based approach to token-free authentication. A challenge- and session-based, real-time authentication solution, for example, only generates a code after the user session has been confirmed. Once the username and password are validated, the solution generates the code. This method offers visibility into which device the login request is coming from. The solution then links the code to the session-ID so that the code—received via mobile phone—can only be used on the device that the request was initiated from and only for that particular login session. That approach is in contrast to hardware tokens, where the codes are not session-specific, meaning that anyone in possession of the token can use the codes. A challenge-based, session-based code helps protect against sophisticated attacks such as real-time phishing. Token-based authentication, by its very nature, cannot match this level of security.
The sticker price of an item does not always factor in the total cost of ownership. So, a hard token system may seem less expensive at first, but hidden fees and maintenance costs abound. In addition to the license fee, there might also be a consultant fee. There are also staff costs to administrate the system. If an employee forgets or loses a token—or it’s lost or stolen—that employee cannot work. This reality must be factored into the TCO. Hardware tokens typically cost between $50-$300 just for the hardware. If you pay someone $30-$50 per hour, for example, and your employee on average loses one hour per month in lost productivity due to not being able to log in because he/she forgets the hardware token or it gets out of sync, that’s $600 dollars per year in lost productivity per employee. Your loss in productivity quickly becomes more costly than the entire solution itself.
Some “solutions” end up being more trouble than they’re worth because they create dependencies – and sometimes those dependencies are out of your control. The net result is a decrease in productivity. In terms of authentication tokens, should a user somehow lose a token, the user cannot log on and perform his or her job, and the company is losing productivity. As an IT admin, you are losing productivity as well, since you must manage the needs of those dependent on this system.
A productivity drag is created by dependencies like this, creating complexity and inefficiency. A more efficient method is to use mobile phones in the authentication process. The mobile phone is the number one thing that individuals never forget. By using that device as a token login, you greatly increase productivity and, in turn, security. So, by using a token-based approach, even if it were free, you would be losing money because it would negatively impact your productivity. However, by integrating a token-free approach into your system, you increase your ROI and save money and time in a single move. This will reduce downtime and lead to productivity gains.
Hard tokens, like all small things, can be lost easily. They are also burdensome to the end user. Many IT admins have reported that their users never really adapted to tokens and that they often went unused, putting individual and organizational data at risk. In contrast, a token-free approach is much easier to use. People use their mobile phones’ texting capabilities every day, so the one-time password (OTP) received via users’ phones makes perfect sense and encourages security compliance. You can benefit from greater flexibility and convenience by implementing an authentication solution that includes multiple delivery options like SMS/text, voice calls and email to help overcome the users’ fear of not being able to log in.
Here’s how this works. If an OTP cannot be delivered via the primary delivery method, then a failover mechanism should automatically kick in and deliver the OTP via a secondary method. This increases efficiency and certainty that OTPs will be delivered in a timely manner and that users will be able to log in. Ideally, an authentication solution should leverage contextual intelligence to automatically detect where the user is logging in from and dynamically choose the most appropriate OTP delivery method based on the user’s location. The reliability and configurability of this token-free approach offers convenience and ease of use to not only your employees but to the IT department as well.
Also in token-free authentication’s favor is its rapid and pain-free set-up. A token-based approach can take over a year to implement. Token-free authentication, however, can sometimes be implemented in less than a day. The huge difference in convenience between an entire year of integration versus a day is clear.
The genie of mobile devices and 24/7 access to business data and applications is out of the bottle. These technologies can make magic, but they can also wreak havoc if not properly managed. The necessity of remote user authentication has been recognized for decades, but yesterday’s solutions are not sufficient for today’s needs. Hardware tokens reduce productivity when they are used and reduce security when employees don’t use them. They carry significant hidden costs and are susceptible to phishing and hacking. A token-free, multi-factor approach provides the ease of use employees want and the added security IT wants – all while reducing administrative burden and total cost. Hard tokens were a good first step in remote validation, but token-free, multi-factor authentication demonstrates at every point that it is a superior solution for organizations today.
About the Author
David Hald is co-founder and chief relation officer at SMS PASSCODE.