RSA Breach: Two-Factor Authentication Is Not Dead But Is Morphing And Getting More Granular

Many IT end-user companies deployed hard tokens at a time when intermediate-risk choices were thinner on the ground, and some of these companies would have benefited from a more granular approach anyway. In general, we are seeing companies moving towards risk-based authentication augmented by mobile soft tokens (sometimes called from a mobile application through an API). These software-only solutions are easier and cheaper to deploy, particularly if the target population is on smartphones, and a lot easier to patch in case of an attack. Interestingly, risk-based authentication is now asked about not only in the B2C context (which was a norm about a year ago), but also in the B2E context as well. Right now, end-user companies are thinking about:

  1. How they can ditch hardware tokens altogether; and
  2. How can they can move risk-based authentication, and increasingly authorization (fraud management), into the cloud.


Soft Tokens Instead of OTP?

Dear Andras,

No offense - but your comment seems either driven by a commercial interest to sell soft tokens or is based on bad research. Soft tokens represent a much higher risk than OTP, are usually paid as-you-go (accumulating into millions of $) and will not solve the problem enterprises are facing. They require an internet connection to work properly, and as enterprises don't trust the cloud, why should they even put their certificates up there???

OTP just as sold in SecureID from RSA/EMC and other products from other vendors represents and outdated technology, just as some RFID physical access control systems such as the well known Prox Card sold by HID.

The only current technology avoiding those issues are hardware tokens based on smart cards, such as recommended by NIST in their FIPS 800-73-3 specification, and in use by quite a few US government agencies. Please have a look into that technology and you will note that it is the best compromise in-between user convenience, cost and security compliance.

kind regards

Pros and cons

Hi Sven-- Thanks very much for writing in. Andras and I were discussing your comments, and wondered where you might factor in the security/usability/mobility/price needs of average enterprises.

In aerospace and defense, for example, it would have been wise to swap out compromised hard tokens (and we know of cases where this was successfully done), consciously sticking with the hard token strategy. But for industries with a different risk profile, what particular concerns do you have with the soft token approach? In what way are they worse?

And what about the challenge all up and down the risk spectrum with managing strong auth to mobile devices? The cry I heard from one defense manufacturer when it came to iPads on the shop floor was, "Where do I stick my smartcard?" Andras mentioned hearing from German insurance companies that their sales people cut off part of the smartcard that sticks out of the device (yikes).

Finally, we weren't sure in what way soft tokens are pay-as-you-go but hard tokens aren't.

Thanks for your additional thoughts.

Smart Cards and other Authentication Options

Dear all,

first, the differences in the requirements of enterprises are so huge, that there is no straight answer for the "right" way to move. In addition, costs are mostly not in the hardware, if applicable, but much more in the operation of such authentication system. Also, the industry the enterprise is operating in does not really play much of a role for such thoughts, as long as we talk about using authentication for the own employees. It just happens to be a specific US thing, that as to the mandate of the US government, US defense contractors have mostly introduced smart card based authentication systems.

The US market is very specific also due to commercial differences over a good part of the rest of the world. In that part, OTP played a major role in the 90's and in the first 5 years of this decade. In fact, smart cards were much more expensive than OTP in those days, technology was not matured and applications not ready to use it.

The world has changed in those past 5 years: smart cards are de-facto standard in enterprises, while OTP, PIN and soft tokens are de-facto standards in consumer banking. Yes, there are exceptions such as Lockheed, but there are also banks around the world using smart cards for consumer authentication.

Soft tokens are of different kinds. If we talk about those that you seem to have in mind (companies like Arcot, Vasco and others offering this), they are basically proprietary solutions, require online status, do not support multiple issuers and mostly: have no support in standard applications and in hardware and software of standard server products. In other words: their main purpose is serving online transactions - which is why banks used to like this: no install, platform independence, no specific reader requirement, works in internet café shops and so forth. But the main disadvantage: they are exposed in the PC bus of the computer, or the cloud or where ever you access them.

So while this has been a great thing for terminal systems, the massive use of notebooks and smart phones over the past years has changed the ballgame. The flexibility of soft tokens and/or OTP products on desktops and terminals is replaced by the flexibility of platforms, in which now you do not have to compromise any more: installation of DLLs or java applets is under the control of the owner of the credentials, and your device is always with you, in fact the internet, too.

These aspects are playing a major role in the infrastructure of enterprises, but more and more even those main OTP users - the banks. Cause those guys are now also mandated to use smart cards - in fact GoogleWallet is nothing else but a hard wired smart card with a Mastercard java applet in an Android phone. Banks around the world are using smart cards as to VISA and Mastercard requirements - and just put an authentication applet on the phone aside of the payment applet for the cashiers.

The products serving this are smart card ICs all together - just in different form factors. Enterprises like ISO7816 plastic - they usually run a mag stripe for canteen payments and need a visual picture. IT companies like USB sticks to force the user to unplug it when packing the notebook. Mobile phones are using microSD cards to keep them separate from the phone hardware. Banks use the fact that they are buying a card anyway and use the free memory on that card.

In other words: smart cards these days are usually of the same price as OTP tokens, serve a much broader set of application, do not require online access, and are much more secure as to the hardware protection against attacks - and they are bought once over the regular soft token, that is cheap, but being sold over and over again as you have to discard it after use. Plus - their technology is integrated, available and commoditized as well.

Last, your comment on iOS: Apple unfortunately does about 90% of its revenue with consumers, not enterprises. Thus, their major concern are viruses, their protection is a firewall in-between applications that prevents the basic requirement for a virus to attack: accessing a 3rd party application. Their products need to use a plug into the 30pin connector, accessing an integrated application. Those plugs are available by the end of this year as to my market information. Not perfect, but doable.

I hope I have answered your questions?

Smartcards as straightforward hard token replacements

Hi again Sven-- I think I see where you're going now: you're advocating going straight to smartcards for roughly the equivalent protection of hard tokens, only with greater interop and permanence/persistence. For sure: this may well be a good choice for some organizations, while some others we've talked to have discovered that they need to make more dramatic consumer convenience tradeoffs, or experience a bumpier road than they expected because of the physical footprint of smartcards.

Thanks for writing in!

soft tokens versus smart cards

Dear all,

as I stated in the beginning, there is no "correct" way to move ahead on logical access security enhancements, except you are mandated by compliance requirements, such as the US government did. Organizations have different security requirements, operating in different threat scenarios and have are run by different company cultures, to their choices will vary all the time.

What you inherently say however is that user convenience and security is a trade-off, when comparing soft tokens with their hardware counterpart, smart cards, also that handling another device may be an issue for some applications/organizations. While the first really depends on the implementation of such schemes (so is really not a matter of the form factor), the latter one is probably listed as the number one reason to use soft tokens as such.

But - this actually is a chicken-and-egg thing: if you take the narrow-minded experience of (for example) banks used to "single-issuer" concepts within their online transcations, they obviously prefer certificate based soft tokens, specifically serving one-off customers on web sites using them as the payment engine. But those customers definitely have smart cards - maybe just not from that specific bank. It's a matter of processes to make use of them, hence increasing the security of the transaction by several grades. This could be a nice area of future schemes to work on.

Last, culture and existing infrastructure is a decision making factor: while Europe, Brazil and all AsiaPac were adopting smart cards since 15 years and mainly served as rentability investments (hello - that´s 75% of the world...), the US looked at smart cards as profitability investment and with their country-wide and inexpensive online infrastructure, smart card features weren't too appealing in comparison. Add the market domination of existing players and competing (although much older and less advanced) technology, you find a pretty good explanation for this situation looking from the helicopter perspective.

Long story short: soft tokens are much less secure and serve specific needs with certain advantages. Smart cards are of a much broader use and offer an inexpensive to OTP and soft tokens. But those technical arguments are not the only decision making factors.