Hard tokens and the difficult choice for retail banks
Hard tokens and the difficult choice for retail banks

In the world of technology it is inevitable that some solutions will succeed and some will fail, but it isn't always the best that wins through.

Over the years there have been many examples of this, and for those of a certain age you will recall how Betamax was considered by many to be the better format, but VHS won the battle. While replacing a video recorder was a relatively small expense, when a large institution or indeed an entire sector gambles on black and red comes up it isn't so easy to change. This is the situation for retail banks using hard tokens today.

The purest view held by many in the banking world and indeed beyond, is that hard tokens used to deliver two-factor authentication (2FA) are the most secure, as physical hardware can have protection mechanisms in place to prevent tampering.

However, that isn't representative of the real world threat. The reality is that these devices are the cause of high operational and procurement costs and can drive away customers who are frustrated with the barriers that are put in place. After all, internet banking for the customer is all about convenience (for the bank it is also about driving down costs). When HSBC introduced its secure key last year it created a backlash from customers on Facebook.

The problem with hard tokens from a customer point of view is that they don't want to carry them around - especially the clunky card reader types. So, when they are travelling or just out of the house/office, they end up reverting to telephone banking or head into a branch. Then there is the problem of when you are away on a two-week holiday and you leave your token at home or lose it, how do you access your bank account?

Over the years, so much has been invested by banks in the hard token deployment that it has almost gone past the point of no return - this is despite the fact that even though the further they go the more costly it continues to be in terms of purchasing and renewing tokens. To turn back now would perhaps be perceived as an admission that the hard token system was a failure, and it would take a brave IT director to stick their neck out and say that.

Also, if you are going to make such a statement you need to be able to offer a better solution. Fortunately, there is a strong alternative beginning to emerge, driven by the proliferation of smart devices.

I am in no way suggesting that 2FA is not the right approach for banks, it is without doubt the way to go. Technically, those with no 2FA in place are less secure than those with 2FA. However, attacks such as Operation High Roller hit everybody equally, so in the real world, the likes of Lloyds TSB (a bank that does not provide customers with hard tokens, preferring a basic one and a half factor authentication that goes beyond user name and password) are not necessarily worse off. Simply, it is a case of there being more efficient and cost effective ways of deploying 2FA.

It is interesting to look overseas at new and rapidly growing banks that do not have the same fixation and heritage with hard tokens and notice how they are balancing the need for high standards of security with customer convenience. While there is interest in technologies such as biometrics, the unsurprising frontrunner is the use of soft tokens loaded on to smart devices.

These banks have looked at those organisations using hard tokens, evaluated the very expensive set up and ongoing management and maintenance costs, and quickly realised that the growth in the smartphone and mobile device market, coupled with the widespread availability of 3G/4G and wireless networks and user adoption, provide the ideal environment from which to deliver the benefits of 2FA.

From the banks' perspective, soft tokens installed on a smart device via an app provide all of the benefits that hard tokens can offer, but crucially without the associated procurement and management costs.

As these are soft tokens, they are low cost and can be distributed out to customers rapidly. In addition, improvements can be made centrally and the customer simply accepts the upgrade when notified. This ability to distribute security enhancement is vitally important as cyber criminals continue their assault on cracking 2FA systems.

Customers do not need to carry a separate piece of hardware and today nobody leaves their mobile devices at home, so they always have their token available, to securely log on, regardless of where they are in the world. Another important benefit is that increasingly customers are banking using mobile devices, either via a dedicated app or browser, so the phone can become both the token and the interface.

In my opinion the days of using hard tokens in retail banking are numbered, although there will always be those who will insist on it in the same way that some cling on to books, vinyl, CDs and DVDs. There are also too many large players who make too much money selling card readers and keyrings for it to die out too soon. However, once the momentum for alternative solutions gathers and the return on investment is published, then hard token usage will diminish rapidly.

Steven Hope is technical director at Winfrasoft