Traditional tokens handed death sentence


Traditional tokens handed death sentence

Andrew Kemshall, co-founder of SecurEnvoy

Few technologies have stood the test of time as well as physical tokens, but they're not perfect. The fact is there's a number of issues with their utilisation, some of which have been around since their introduction 30 years ago.

Let's look at the evidence:

  • Token deployment is time consuming. For 1000 tokens to be distributed, with many sent using a postal system to remote workers, will take six months to complete.
  • 10% will be broken, misplaced or stolen and need replacing each year
  • Each token's life span is typically three to five years before it needs replacing
  • End users will forget them
  • Physical tokens require ongoing administration, such as pin management, re-synchronisation and replacing lost or broken tokens
  • Third party contractors find themselves carrying around tokens for various clients and having to work out which one is right for each system
  • The stark reality is organisations will take the decision that the security offered by two factor authentication isn't justified against this level of investment

SMS Presents Its Case

In 2000 mobile phone ownership increased sharply. In fact, according to, there are over 4,947,400,000 GSM and 3GSM connections globally with the figure steadily increasing every second.

Utilising SMS technology any mobile phone can be an authentication token. However, SMS technology alone isn't the answer as it's proved occasionally unreliable. It is this argument that has saved physical tokens in the past - but it can no longer stave off the Grim Reaper's scythe.

With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.

I've invested far too much in tokens to change now?

It's always going to be hard to justify writing off an investment. Yet that's the sensible thing to do if you don't want to continue hemorrhaging money supporting an old technology:

  • Moving to SMS authentication will reduce ongoing running costs by 40 - 60%!
  • Using automation, an SMS system can be set up in a day
  • You won't need to replace dead tokens
  • Organisations will reduce their carbon footprint - it requires 1673 trees to offset emissions created deploying 3000 tokens
  • While some will hide behind the argument that people lose phones too, it's their attachment that's the differentiator with research showing a third of the population would notice they'd lost their mobile phone within 15 minutes and 60% within the hour

Goode Intelligence recognises that pre loaded codes are changing the playing field predicting that "40% of organisations plan to deploy services that will enable employees to use their mobile phone as an authentication device by the end of 2011."

This is substantiated by our own recent poll, conducted between November last year and January, with 146 people asked: 'Should SecurEnvoy add support for hardware tokens?' With an overwhelming 98% responding no, so it's not just me that believes the physical token is dead.

This was first published in March 2011

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.