I’ve been thinking about strong authentication (SA) lately as it relates to some client work I’m doing. The technology has matured over the past few years, and the acceptance by both users and clients is growing. A few years ago I would deliver presentations on multi-factor authentication and I would pass around an RSA SecurID fob. Fully half the audience had never seen one and had no idea what it was for. Today, you’d be hard pressed to find an enterprise or government user who was unfamiliar with SA devices.
So what are the current options for SA? My SA world right now is mostly concerned with public access to confidential information held by government, education and health organizations, so I’ll limit the scope to applications in these spaces.
This makes it easy to eliminate a few things: for real and perceived privacy reasons, biometrics are difficult for public users to accept, and a lack of readers on individual user desktops is a problem; smart cards are an excellent technology platform for SA, but again readers are not yet common for a public-scale roll-out to be successful; certain one-time password (OTP) token solutions — including the venerable RSA SecurID — are cost prohibitive for deployment to large numbers of public users; and software tokens, those virtual token generators running on the desktop PC, are prone to virus attach and too easy to share between users from the same household. (More to this last point, software-based tokens can be deployed to individual users on a shared desktop, but then access to the token is inevitably protected by a password… Not really an SA solution by most definitions.)
Fortunately, that still leaves a fairly large number of options:
USB tokens — There are a number of tokens that are available on a USB (Aladdin, RSA, etc.) format. Most are deployed with a certificate and work within PKI environments. The devices are becoming viable for large implementations because USB devices are easily supported on most computers, and the general public have become much more comfortable in plugging devices into USB ports.
Value-priced OTP fobs — Entrust, Activeidentity and others have driven the cost of fob-based SA systems to less than a third of RSA SecurID. While these products might not RSA’s robust encryption, many large deployments are at least considering traditional tokens again due to these lower cost options.
Grid cards — Also known as ‘paper authenticators’ or ‘Bingo cards’, these wallet-friendly cards contain rows of numbers organized in a grid. The authentication system prompts the user for values on the cards by column and row. Because the user possesses a unique card, this provides SA. Drawback: grid cards are easy to duplicate… A variation, one-time ‘scratch’ cards, overcome this limitation. OTPs are hidden under a scratchable surface (think scratch lottery tickets) and a new one is used each time for access.
Mobile SMS — One of the more difficult problems (and cost concerns) with large-scale SA is the issuing and managing of SA devices. Mobile SMS addresses this problem by using an authenticator that the user already has: their mobile phone. An SMS message containing an OTP is sent to the registered user, and this OTP is used as the second factor in the authentication. More robust implementations replace SMS with a phone-generated token. Mobile SMS solutions benefit from the widespread use of cell phones (especially among younger users) and the high percentage of time people have them in their physical possession.
Voice delivered token — A variation on the mobile phone authenticator is to deliver the OTP via an automated voice call. This can provide some additional security when combined with a PIN and a voice-delivered OTP might be easier for certain public users to use, particularly those with vision problems or certain cognitive challenges (e.g. dyslexia).
This narrowing of the options makes analysis of SA solutions for large public user projects a bit easier:
- Is low cost a primary driver? Grid cards and Mobile SMS are likely your best options.
- Worried about device or card management? Mobile phone solutions gently push this task onto your users.
- Do you want the flexibility to store certificates and data? USB tokens are proven solutions to meet this need.
- Are you (or your users) most comfortable with a ‘traditional’ fob solution? Look to cost-savvy providers of OTP tokens.
Finally, blending these technologies into a solution is recommended. For example, not all users possess cell phones, so you’ll want an alternate technology (fob or grid card perhaps) as an option. In the public user space, you need to be careful about forcing a specific technology on to your user base — a degree of user choice is always recommended.
Ultimately it is a matter of picking the best solution to meet your needs — and no matter what your criteria may be, today’s SA vendors truly have viable options to offer.