Developments such as BYOD and the widespread use of cloud services have expanded the threat landscape and put a strain on IT security. For instance, Gartner predicts that by 2016, eight percent of companies expect to stop providing devices to workers, and more than 30 percent of BYOD strategies will leverage personal applications, data and social connections for enterprise purposes.
All of these devices, personal applications and data will need to be secured. While hardware tokens were a good security choice in the 1980s and 1990s, advances in technology are rending them obsolete. Token-free, multi-factor authentication using mobile phones provides the real-time convenience and flexibility that today's work environment requires.
Token-free authentication does not store pre-issued one-time passcodes, as token-based systems do. If codes are pre-issued based on a seed file, then they are vulnerable to theft by simple hacking and phishing. That means a network's security can be compromised, and the code can be exploited. Even the seed file that stores all the authentication codes represents a security risk because if the seed file is stolen, then all users are exposed.
Organisations seeking to implement a token-free authentication solution should be aware that many of these solutions also provide the users with pre-issued passcodes based on a seed file. The only difference here is that the passcode is delivered to the user's phone instead of on a hard token. Again, the pre-issued codes or the seed files themselves are vulnerable to theft. This does not provide the level of security needed to protect against today's sophisticated hackers.
In contrast to relying on a system that uses a seed file, IT security professionals would be better served with one that works in real time. The real-time approach enables the possibility of challenge - and session-based authentication. A challenge - and session-based authentication solution only generates a code after the user session has been established.
Here's why this approach is better: once the username and password are validated, the solution generates the code. Waiting to generate the code until the session is established, instead of relying on a set of pre-issued codes, enables the solution to link that code to the device that requested it. In this way, the code — received on the user's mobile phone — can only be used from the device that requested it. The security advantage here is clear. If for any reason the code is intercepted, it cannot be used on any other device. A challenge and session-based code helps protect against even sophisticated attacks. These are security benefits that token-based authentication simply cannot match.
On a final note, using a mobile phone to deliver the security code creates an additional benefit that a hardware token can never match. While a misplaced or stolen token can easily go unnoticed or unreported, a missing cell phone brings life to a grinding halt while its owner searches for it. People are usually quick to call their carrier to terminate their service, which minimises organisational risk. All told, real-time token-free authentication is the approach that will best serve organisations in 2015 and beyond as they juggle remote workers, an expanding threat landscape and advanced cyber-attacks.
Contributed by Torben Andersen, chief commercial officer, SMS PASSCODE