Managed Security Services

Beyond Passwords: Implementing The Vision — continued

by Lisa Phifer VP Core Competence, Inc. [April 5, 2005]

3. Hardware Tokens
Hardware tokens are the most popular two-factor authentication method in use today. Traditional tokens take the concept behind one-time password generation to a whole new level, combining that with a second authentication factor. Newer hardware tokens tend to pair different kinds of credentials, skipping passwords altogether.

Although token authenticators are also available as software clients, most are sold as a small piece of hardware—a keychain fob, a credit-card sized PINpad, or a USB device. For example, this figure (right) illustrates a traditional RSA Security SecurID Fob and SecurID PINpad. As we can see, both tokens display a number—this is effectively a one-time password. However, instead of being statically generated with an algorithm like S/KEY, a new pseudo-random number is dynamically-generated every 60 seconds. The next number cannot be predicted or guessed, except by the Authentication Server that initialized the token.

After initialization, whenever the user attempts to authenticate, she is prompted for a "passcode." In response, she types the number currently displayed on the token, followed by her Personal Identification Number (PIN). This interaction is similar to "normal" password authentication, so it fits well with many protocols and applications. If the user reaches the end of a 60-second interval, she may be prompted for another passcode, and of course she cannot authenticate if she's accidentally left her token at home. Replacing a lost token isn't as instantaneous as resetting a forgotten password. However, many organizations consider these to be minor inconveniences in light of the significantly stronger authentication that two-factor hardware tokens offer.

Recently, there has been considerable growth in USB hardware tokens. Some USB tokens can operate in a fashion similar to that just described and support other (non-interactive) forms of strong authentication. For example, the Verisign Unified USB Authenticators illustrated at right are available in two form factors—one that supports token code display and another that does not.

USB hardware token functions vary quite a bit, but generally support more automation and multiple authentication methods, including digital certificates. For example, ActivCard's USB Key stores a user's private keys, passwords, and profiles for network access. The user plugs the key into a USB port on his computer and enters his PIN. Thereafter, he can be authenticated using any of the credentials stored on the key—legacy password, dynamic one-time password, or certificate—as required by each of the systems and applications he communicates with. USB keys work with client software installed on the user's computer—in this example, ActivCard Gold.

There are many vendors that sell authentication tokens. Most sell an assortment of hardware, including fobs and USB keys and combinations thereof. Some also sell passcode-generator software to turn a small-footprint device like a PDA or Smartphone into a token. A few examples of vendors in the hardware token market include:

• Authenex
• ActivCard
• Aladdin Knowledge Systems
• RSA Security
• SafeNet
• SecuriKey
• Vasco
• Verisign

Allocating tokens, replacing damaged or lost tokens, and purchasing the associated authentication server software does involve cost. For example, a 2004 Infrastructure Software and Systems Management survey published by the Susquehanna Financial Group stated that RSA Security's average selling price is about $40 per token with a typical three to four year life.

Vendors do compete vigorously on token pricing and offer volume discounts, so consider this merely as one example, and do your own shopping.

1. Digital Certificates

2. One-Time Passwords

3. Hardware Tokens

>4. Smart Cards

5. Biometrics, and our Conclusion