Is the death of the authentication token greatly exaggerated?


Is the death of the authentication token greatly exaggerated?

Microscope contributor
Dave Abraham, CEO of Signify, takes a look at the token versus tokenless 2FA question and concludes that both are needed

With the growth in anywhere, anytime working, two-factor authentication (2FA) has, at long last, become the de facto standard for secure remote access to the corporate network.  

But then the question is: do you go token or tokenless? Vendors or resellers offering only tokenless solutions would have us believe that hardware tokens will soon be replaced by mobile phone authentication. But is it really a case of one or the other?

Dedicated tokens - most commonly associated with RSA - that provide a one-time passcode, typically every 60 seconds, have been the traditional approach to 2FA for years. Tokenless solutions deliver one-time passcodes on demand to a standard mobile phone or smartphone.
Because most people already carry their phones with them most of the time, this eliminates the need to carry a separate piece of hardware and reduces the cost and time associated with providing new and replacement tokens.

Remote access

Sounds good - but it's not the full picture and for frequent users who demand secure remote access wherever they are, tokens remain king.

Road warriors, home workers or systems engineers, for example, often log into many different portals every day and requesting or obtaining passcodes from a mobile phone or PDA is just too much hassle. What's more, tokens are not limited to a particular platform, such as Windows, and are not reliant on how secure a mobile phone network is, good network coverage or the battery life of the phone.  

RSA tokens will work even if dropped from a great height or if they fall into a glass of water. The same is not true of the mobile phone, however. And when it comes to cost, frequent users can quickly run up SMS charges for requesting passcodes from a mobile phone or PDA.
But there is a place for tokenless authentication. It is ideal for infrequent or temporary users, such as contractors, part-time staff and those checking e-mail from home.

It can also provide temporary extranet access to other departments, professionals and partners or for sensitive online services such as HR, e-commerce or access to health information. Having short-term remote access to the corporate network is also valuable in emergency scenarios resulting from bad weather, strikes or terrorist treats, for example.
Savvy resellers will quickly realise it is a case of "horses for courses", depending on the end user organisation, the user's working requirements and the data and applications being accessed. The question should not be token or tokenless, but what is the best combination of the two.   

The ability for resellers to mix both token-based and tokenless two-factor authentication within an organisation means authentication can be tailored to specific needs, budgets and working patterns.

But, having realised the benefits of deploying both token and tokenless 2FA, the problem organisations will face is that most two-factor authentication vendors will offer only one or the other.  

So yes, the death of the token is greatly exaggerated. Instead, resellers need to look for the best combination of both solutions.

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.