AuthenticationWorld.com

Authentication - Security Tokens

Authentication is achieved by asking something you know, something you have or, providing something you are or combinations thereof.  Something you have, like a physical token, is used often in real life e.g. a driver's license.  In the digital world security tokens are now commonly used.  They are often one time password security tokens and/or smart cards.

One Time Passwords

One time password security tokens, like secureID by RSA, are one way of significantly reducing the risk of using passwords.  Unlike passwords which are changed every 60-90 days or longer, a secureID token works differently.  On the small screen of the key fob the user carries with them are numbers that change every 60 seconds.  The numbers displayed on the screen change randomly to the end user.  They are generated by a mathematical algorithm that is only known to the enterprise security server.

The user logs on to the enterprise network.  During the logon sequence the user is requested to enter in their id and then the number displayed on the screen.  This information is sent via encryption to the enterprise security server.  If the number on the screen matches the mathematical algorithm and the id, then the user is authenticated.

The devices are tamper proof/resistant.  They are pre-programmed from the factory and ready for immediate use.  By combining a secret that the user knows (their id) with the one-time password, the authentication is much stronger than that from a traditional password.

Authentication Weaknesses With Security Tokens

There are weaknesses with using only this approach.  For instance, is someone is able to steal or frveaudulently obtain the key fob and, they also know the user's id, then they will be able to successfully masquerade as the identity.

Additionally, there are significant management costs with the key fobs or credit card size tokens. Recent announcements in February 2007 by Entrust selling one-time password tokens at $5 means that the price points are now much lower and more affordable. Users need to be issued them physically, they need to be replaced when lost (which is common) and recovered or terminated when an identity leaves the enterprise.  Poor de-provisioning processes may result in security holes being created by the identity still having access to the network using their secureID token and id.

Multi-factor Authentication

With the advent of computer chips now being inserted into credit cards and other cards "smart cards", there is the beginning of the combined use of one time passwords with smart cards.

For example, a user may log on to the enterprise using their id and one time password from their credit or smart card.  This gives them general access to the enterprise based on their access privileges.  However, when they try and access a high risk resource, they might be required to provide a biometric and swipe their smart/credit card.  The biometric presented must match the biometric stored on the smart card.

This ties the user issued with the security token more closely with the user who is presenting the security token as a form of authentication. It reduces the risk that the person trying to authenticate is not who the enterprise believes them to be.

Security tokens on their own are only useful for low to medium risk type authentication situations.  High risk authentications should use multi-factor authentication, which may include the use of the security token.

Authentication - Wireless

Password Authentication Single Sign On Authentication Access Control Authentication Authentication-Enterprise Security Authentication Strength Authentication Transaction
Authentication Management User Authentication Authentication Federation Biometric Authentication PKI Authentication Token Authentication Wireless Authentication Document Authentication Authentication - Outsourcing