Token Debate: Battle Tested, Industry Approved

"Time-based two-factor authentication continues to be a critical component of any security strategy", says RSA's Dan Schiappa
"Time-based two-factor authentication continues to be a critical component of any security strategy", says RSA's Dan Schiappa

Time-based two-factor authentication strengthens passwords by making them dynamic and ever-changing. The result is access credentials that are nearly impossible to guess and very difficult to steal.

The most commonly deployed and effective method for two-factor authentication is the time-based ‘token’. This is generally thought of as a purpose-built hardware keyfob with a number display, but it can also be a software application running on a mobile device or PC. Regardless of the form factor the token takes, it performs an invaluable service in ensuring the identity of users seeking to gain access to private resources and sensitive information.

Two-factor authentication is one of the most widely used security technologies in the history of IT. Millions of people use this technology every day to gain secure access to corporate networks, and it has been used to protect trillions of communications and transactions. Many of the most security-conscious organizations in the world consider tokens the ‘go-to’ technology to enable secure, trusted access to the most critical IT infrastructures in banking and finance, healthcare, law enforcement, military and government.

Time-based two-factor authentication stands apart from competing authentication products due to its simple and sophisticated design of a one-time credential, based on a clock-driven, dynamically changing password coupled with a secret user PIN. This combination makes it extremely difficult to compromise all the factors at once.

Since its inception, the world’s most respected security researchers have worked, unsuccessfully, to ‘break’ this technology. The reason for their lack of success is that time-based two-factor authentication actually requires far more than two factors to compromise it. Contrary to what critics have asserted about the security of stored shared secrets, recent attacks have shown that compromising some pieces of the puzzle does not enable a successful attack on users.

By itself, time-based two-factor authentication is the industry standard because it has proven to be easy to use, easy to deploy, and is one of the most difficult security controls to defeat. That being said, there is no silver bullet to protect an organization against advanced threats – a multi-layered approach is always recommended.

"Time-based two-factor authentication is the industry standard because it has proven to be easy to use, easy to deploy, and is one of the most difficult security controls to defeat"

When combined with additional security measures and risk-based controls, time-based two-factor authentication is a powerful component in a multi-layered security infrastructure and has proven incredibly effective against (even modern) malware and advanced attacks, including hijacked machines, man-in-the-middle attacks and lost or stolen tokens.

The advanced threats facing organizations today are getting increasingly better at defeating all types of security controls, which is why time-based two-factor authentication continues to be a critical component of any security strategy. No security technology has been more widely used, closely scrutinized, and more elegantly designed and implemented. It still enjoys an extensive and healthy acceptance among global IT security professionals as the standard-bearer for making passwords stronger.

Part of the continued success of two-factor authentication is the fact that the technology is always being adapted to provide improved security, convenience and applicability. Innovations are being made to apply time-based two-factor authentication to new use cases, such as virtualization, cloud and mobile computing, and other form factors that utilize mobile device technology and risk-based authentication. It’s these innovations that ensure that the future of ‘token’ technology remains bright.


Dan Schiappa is senior vice president & group general manager, identity and data protection, at RSA, The Security Division of EMC². Prior to this, Schiappa was at Microsoft for eight years where he held many senior roles, including general manager of Microsoft Passport/Windows Live ID, general manager of strategy with the entertainment and devices division, and general manager of Windows Security. At Microsoft, he was responsible for the core security direction and delivery of such key technology components as BitLocker, Rights Management Server, and Certificate LifeCycle Manager. Prior to Microsoft, he also held several senior senior business and technical roles. Schiappa studied computer science at the Rochester Institute of Technology and the University of Central Florida.

What’s hot on Infosecurity Magazine?