![]() ![]() In multiple recent reviews Gartner addressed the increased use of phone-as-a-token methods, noting in their Technology Insight for Phone-as-a-Token Authentication report that “authentication methods that co-opt users’ mobile phones as tokens are widely adopted”, and “by the end of 2019, 50% of enterprises using phone-as-a-token authentication will use mobile push in preference to other modes, compared with less than 10% today.” Gartner’s “Phone-as-a-Token: category relates to all kinds of mobile-based authentication, including soft tokens, OTP and push notification. Nowadays, instead of carrying around an extra piece of hardware, and given the fact that everyone these days has smartphone, soft tokens have been incorporated into smartphones (usually in the form of an app). They can’t be lost, they can be automatically updated, the incremental cost for each additional token is negligible, and they can be distributed to users instantly, anywhere in the world. Software tokens have a number of advantages over hardware tokens. They’re also vulnerable to theft, breach of codes, and man-in-the-middle attacks. Hard tokens have a number of challenges: They’re relatively expensive, easy to lose, and their administration and maintenance often take a heavy toll on IT departments. The most common one, RSA SecureID, has been in the market since 2002 (yes, that’s already 15 years) a new contender in this field are Universal 2nd Factors (U2F), utilizing a new standard in authentication Fast Identity On-Line (FIDO) When it comes to security tokens, most people think of hardware tokens – such as smart cards, Bluetooth tokens, one-time password (OTP) keyfobs, or USB keys. Soft tokens (Software token = Soft token) are just that authentication tokens that are not physically tangible, but exist as software on common devices (for example computers or phones). Hard tokens (Hardware token = Hard Token) are physical devices used to gain access to an electronically restricted resource. Authentication tokens are generally divided into 2 groups: a Hard token, and a Soft token. This introduces the concept of a token something that is used to prove 1 of the 2 independent factors required above. With multi-factor authentication, a user must prove at least 2 of these independent factors. There are 3 independent factors classes for authentication:ġ) Something you “know”: a password or PIN, or an answer to a questionĢ) Something you “have”: a token, credit card or mobile deviceģ) Something you “are”: biometric data, such as fingerprints, or behavioral data such as keystrokes One of the most effective ways of ensuring authentication is with “Multi-Factor Authentication”, or MFA. MFA basicsĪ simple password doesn’t cut it for most systems, especially ones with higher risks or sensitivity attached to them. We’ll look at how tokens fit into the authentication process, as well as the different types of tokens – including hard tokens, soft tokens, and everything in between. ![]() This process has to be designed so that on one hand it’s as easy as possible for the user of the system to gain access, while on the other it’s as difficult as possible for someone who isn’t authorized to gain access. 18.Proving your identity in order to authenticate yourself and gain access to some kind of system is more of a challenge than most people realize. This is interesting stuff that we can expect to hear more about when Fall Interop arrives back in New York on Sept. Launched in 2004, OATH is backed by companies including IBM Tivoli, VeriSign and Citrix.Īlthough they might not be as secure as hardware technologies, the market for soft tokens such as MobiSecure has to be much larger. The sequencing is the primary difference between MobiSecure and hard tokens from companies such as RSA Security, which keep the validation server and tokens in sync at all times.ĭiversinet's technology is compliant with the reference architecture for strong authentication from the Initiative for Open Authentication ( OATH). The validation server knows the credential and sequence for that given client and, if it generates the same code, grants access.Īfter the session ends, the sequence number is incremented so that code can never be used again, Kowal says. The algorithm on the user's device creates the one-time code by combining a secret client credential (loaded during provisioning) with a sequential counter. When users log on they are asked for a password and the code generated by their token (the second factor). In use, the MobiSecure tokens are employed the same way as hard tokens. ![]()
0 Comments
Leave a Reply. |