Comment: Two-factor Authentication – World of the Token Necklace

Kemshall muses about the possibility of token necklaces
Kemshall muses about the possibility of token necklaces
Andy Kemshall, SecurEnvoy
Andy Kemshall, SecurEnvoy

Security breaches are on the up – we all know that – and they are set to get worse. In order to interact with suppliers online, organizations will be expected to have stronger authentication, which is where two-factor authentication will play an increasingly bigger role.

Before continuing, let’s first take a moment to capture the enormity of the problem.

  • We want to be able to work wherever we happen to find ourselves rather than be restricted to a physical building
  • ­We want to use whatever device we happen to have in our hands
  • ­ We want to do it 24 hours a day: online banking, go shopping, order repeat prescriptions and complete tax returns – the list goes on

To perform each of these tasks, you will need to create a user account. Yet all too often it’s been proven that just using a username, in combination with a password, is inadequate.

For organizations the repercussions can be far more damaging. The frequency of data breaches is just one indication that this is a growing problem that many have yet to come to grips with.

So, how can organizations strengthen these vulnerable virtual applications and access points?

Two Kinds of Evidence

From a security perspective, the simple concept is that we typically trust the person accessing an application. However, passwords can be cracked or even guessed, so a stronger model is needed.

This is where two-factor authentication has stepped up to the plate. In its very basic sense, it is the combination of two different elements from a choice of three:

  • ­Something you know – such as a pin or password
  • ­Something you own – such as a key, mobile phone, token or the chip embedded in a credit card
  • ­ Something specific to the person – such as a fingerprint, or retina

I’d like to clarify: entering certain characters from a memorable phrase does not constitute two-factor authentication. It’s still something you know, so it’s just duplicating something you know.

Whereas something specific to the person – or biometrics as it’s widely referred – is considerably foolproof, it requires hardware, which often makes this element a non-starter. The reason is a physical reader would need to be installed at every entry point, making it either very expensive or impractical, when you consider the flexibility our technical society demands. There’s also the further complication of designing a solution today that’s capable of accommodating the devices of tomorrow.

It’s not surprising, therefore, that when introducing a two-factor authentication solution, it is the first two elements that are the most common combination employed.

Token Necklaces

Although the amalgamation of something you know and something you own seems a no-brainer, the reality is less practical.

Many employees who access their corporate network will be familiar with a physical token or key. For consumers, banks are increasingly adopting two-factor authentication for their on-line banking services – HSBC in the UK has just introduced an HSBC Secure Key for every user.

If every organization that allows individuals to access its systems first issues them a physical token, then that’s a lot of plastic. In time these could become dozens of tokens weighing you down. Imagine, having one for the bank, your health records, tax returns, utility companies to access and pay bills, employer, and so on.

It wouldn’t be long before we became chained down to our multiple token necklace.

Additionally, there’s the expense of each of these little pieces of plastic – not just in monetary terms, because they’re not free, but also to the planet. The environmental cost for producing and distributing 4,000 tokens works out at around 4.3 million metric tons of CO2 or, for those who like a visual representation, that’s the equivalent of chopping down 240 million trees.

Physical Token Apathy

The biggest issue with physical tokens is that end-users simply don’t like them. Organizations already struggle with users either forgetting or losing their physical tokens. Each instance results in a call to a help desk to allow one-time access. In the case of a lost token, a replacement has to be issued, resulting in wasted time, postage and the expense of the device.

Imagine this replicated not just for employees, but for every person that accesses your service.

What about for all of us, as consumers? Imagine the frustration when you want to pay a bill at work and you’ve left your token at home, and trying to identify which token belongs to which supplier.

SMS Technology is the Logical Alternative

I’ve made, what I hope you’ll agree, is a compelling case for two-factor authentication. It’s just that I don’t believe that physical tokens are the way forward. Practically every pocket holds the perfect key – SMS technology on your mobile phone.

Organizations can easily utilize existing mobile technology – whether corporate or personally owned – to replicate a physical token. A passcode is sent to the user’s mobile phone as a text message, turning the mobile into a ‘soft’ token. When comparing soft against physical tokens, it is estimated that moving to soft token authentication will reduce ongoing costs by 40–60%. And there’s no reason why dozens of soft tokens can’t be carried on a single device.

Moreover, another advantage of SMS messaging is that the passcode can be preloaded, as it gets sent immediately to the user once the previous passcode is used and is stored, ready for use the next time. So if there are delays or signal problems, then the user will already have their next passcode ready to go, avoiding any login issues.

Finally, if you were to lose a piece of plastic, then you probably wouldn’t notice until the next time you needed it. But, if you’re separated from your mobile phone, then you notice it almost immediately.

It makes sense, therefore, that using a mobile phone as ‘something you own’ is the perfect solution. Who in their right mind would opt instead to be strangled by a token necklace?


Andrew Kemshall is the co-founder and technical director of SecurEnvoy. Before setting up SecurEnvoy, which specializes in tokenless two-factor authentication, Kemshall was worked for RSA as one of their original technical experts in Europe, clocking over 15 years of experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next-generation authentication software.

What’s hot on Infosecurity Magazine?