The great token debate
The great token debate

I read this week that one of the One Direction boys was bemoaning the fact that he had not been able to tweet for a week as he had no signal, not sure where he was but it just goes to show that you can't always rely on using your mobile phone.

Not being able to tweet is one thing, but not being able to get a text message with your one time passcode (OTP) to log on to your corporate network or get your emails is another thing.

While that is a rather simplistic example, it is all part of the argument about what is the best ‘something you have' factor when using two-factor authentication (2FA): hardware tokens, software tokens or OTPs sent to a mobile device via SMS?

A lively debate has been going on for many years, with many declaring tokens are dead and tokenless authentication is the only way forward, but is the declaration a little presumptuous?

At Signify, we have been providing a 2FA service for over 12 years with both token and tokenless options and were the first company to offer text-based 2FA services back in 2002, so we are well positioned to comment.

If you are in an area with no mobile signal the answer is simple - but like most things in life and the world of IT and security in particular, there is no single right answer.

The hardware token may have been around a while but it is the most tried and tested method of 2FA. Typically the token is carried on a keyring and displays an OTP calculated using an algorithm, a clock or a counter, and a ‘seed record'. The user enters this number with their secret PIN to authenticate themselves. Simple. 

This is why the hardware token remains popular today - it is very simple to use and works anywhere and every time. Hardware tokens are not reliant on software downloaded on a device, internet connection or phone network coverage and they are more robust than a smartphone or tablet device. 

Those declaring the death of token will point to the inconvenience and cost of the token. These are valid points and there can be an expensive one off cost but these issues can be mitigated through hosted authentication services that deal with token logistics such as handling provisioning and lost and expiring tokens. 

Hardware tokens can appear expensive, but is the cost of a token really that expensive for a device that reliably produces an OTP every 60 seconds for five years?

What is the cost to a lawyer working on a multi-million pound case, when he can't log in to send a crucial document, because he has no mobile signal.

Vendors are always looking for the next big thing and the rapid growth in mobile communications offered alternatives that could maybe reduce costs and increase convenience for the end-users. As most business users of 2FA today have a smartphone that they keep with them most of the time - it would seem to make sense to exploit this technology.

The first to do this is a software version of the OTP key fob for smartphones. This is exactly the same technology as the hardware version, but uses software installed, usually in the form of an app on the smartphone to calculate the OTP.

This has some advantages over hardware tokens. For example, for geographically disperse businesses, tokens can be sent electronically to avoid shipping costs and delays and there is the convenience of not having to carry a separate device.

However, if you're using apps on your smartphone to get access to corporate data and relying on another app on the same smartphone to be the ‘something you have' – is that really 2FA? What if you've left your smartphone on the plane having removed the password so you could watch a movie?

The other mobile form of 2FA is the text-based tokenless delivery to a mobile. This also eliminates the need to carry a separate piece of hardware and reduces the cost and time associated with provisioning new and replacement tokens. Sounds ideal; but as our One Direction friend found out, you can't always get a signal when you want one. For frequent users who log on two or three times a day, something that should be inexpensive, suddenly becomes very expensive! For these people, you simply can't beat having a token with your OTP there ready and waiting whenever and wherever you are.

SMS vendors have come up with solutions to the mobile signal problem such as pre-sending codes, but this highlights another problem with SMS-based OTPs.

How long is each OTP valid for? What happens if someone takes note of the OTP text on your phone before you get chance to use it? Not only is it impossible to anticipate every time you are likely to be without a mobile signal, delivering codes in advance that last for a period of time rather than just the time they are actually sent, impacts on security.

Of course any solution that centres around the mobile phone also relies on the age old problem of battery life. What do you do when it runs out and you can't recharge? Hardware tokens have a fixed battery life, typically five years and can be replaced before they risk running out.

So when it comes to the SMS v token debate our view is that it is horses for courses and what is important is to be able to mix and match depending what works best for you.

That's not all, there are other alternatives emerging. One is the use of biometrics to authenticate the user based on physical attributes or behaviours. This moves the second factor to ‘something you are' or ‘something about your behaviour'.

One biometric that has the potential to work across all types of smartphones is voice – using the device's microphone to capture a voiceprint that allows the user to be uniquely identified.

Then there is risk-based authentication, this observes users behaviour; how often they authenticate, where they are and from what device, to calculate a risk score. It turns out that this combination of multiple factors is very powerful in assessing a user's identity.

If a user that usually logs on from a home PC in Surrey suddenly appears on a mobile device in Beijing, they will be denied access or asked for additional levels of authentication. These technologies are still new but offer exciting new options that could be delivered through 2FA hosted service providers relatively quickly.

So, the reality is that 2FA is not a one size fits all solution. The right type of authentication for you depends on the organisation you work for, your working requirements and the type of data and applications you need access to.

The question is not token or tokenless? It is what combination works best? As a rule of thumb, tokens work best for frequent users while tokenless is better for those that need occasional or emergency access, when there is too much snow to get to the office, for example.

While some vendors will continue to sing from the ‘SMS is all you need' song sheet, our message is that choice is everything and the death of the token greatly exaggerated.  We've been carrying tokens around for 25 years and won't be surprised if they will still be around for their golden anniversary.

Stuart Howden is marketing manager at Signify