Strong Authentication: Bring-Your-Own-Token Is Number Three With A Bullet

In approaching the research for my recently published TechRadar™ on strong authentication, at first I struggled a bit with overlapping concepts and terminology (as can be seen in the lively discussion that took place over in the Security & Risk community a few months back). The research ultimately revealed that form factor matters a lot -- smartcards in actual card form, for example, have some properties and use cases distinct from smart chips in other devices. So smartcards became one of the 14 categories we included.

The category that quickly became my favorite was "bring-your-own-token." BYOT is Forrester's term for the various methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have. The classic example is a one-time password that gets sent in an SMS message to a pre-registered phone, but we see emerging vendors doing a lot of innovation in this space. You can get a surprising amount of risk mitigation value from this lightweight approach, in which you can treat provisioning not as an expensive snail-mail package, but as a mere self-registration exercise. In a world where hard tokens and smartcards prove themselves to be, shall we say, imperfectly invulnerable, lightweightness can have a value all its own. In fact, BYOT showed up just behind these two venerable methods in the "significant success" trajectory on the TechRadar.

Here's my suspicion: BYOD has now led to BYOT. Soon enough we'll be able to combine BYOT with strong biometric bindings between users and their devices, which will help fix vulnerabilities of the type seen in the recent DoD smartcard breach while keeping biometrics "local" (and likely more privacy-protected). In that new era, true user-controllable BYOI -- bring-your-own-identity -- will become a more viable option in all kinds of settings, including the enterprise.

Got thoughts on strong authentication? (One thing I learned on this project: Everyone does!) I hope you'll share them in the comments below.

Comments

History

We tend to think of authentication as a one time token or maybe a two factor or three factor. In real life actions occur in a sequence (in context). These sequences are repeated. If we see a repeated pattern then the chance that it is real is increased. So if I identify myself to my bank and I make a payment that I have made previously it is highly likely that my identification was valid. When fraudulent actions occur they introduce new patterns. This idea is used frequently in real systems to reduce the demands on a user. So if I am logging on from the same computer in the same spot AND doing an action that I have done before then it is likely to be me and there is no need to ask me for another factor. The question is can we bring context into weak authentication so that authentication becomes strong or in some measurable way stronger?

Risk-based authentication

Hi Kevin-- It's an excellent point. This is what Forrester (among others) refers to as risk-based authentication (RBA). It's also known as adaptive or progressive (etc.) authentication. I tend to think of this mechanism as very nearly a "fourth factor," as in "something you're observed to do." It tends to have great usability and risk mitigation characteristics.

We explicitly excluded this type of authentication from the TechRadar, but recently published a Wave on this space. Often high-risk behaviors trigger a requirement for step-up strong auth that the user actively participates in, so they can be used in concert.