Wednesday, March 16, 2011

Deadth of Tokens

Death of Physical Tokens

In 2011, technology has come together to hammer the final nail into the physical tokens’ coffin. Nothing lasts forever and two factor authentication isn’t any different. It too has experienced advancements, from the original complex and time consuming challenge tokens of the 70s to the time synchronised tokens of the 80s. 30 years later, and it’s as if time has stood still, as the majority of physical tokens still rely on this out-dated technology but the tide is turning.

In 2000 the number of mobile phones started to sharply increase. In fact, according to, there are over 4,947,400,000 GSM and 3GSM connections globally with the figure steadily increasing every second. By the time you’re reading this it wouldn’t surprise me if that figure had topped 5,000,000,000.

Utilising SMS technology any mobile phone can be used as an authentication token. A passcode is sent to a user’s device, eliminating the need for a physical Token. Other enhancements including the option of reusing a user’s existing password instead of remembering a separate PIN.

However, SMS technology alone isn’t the answer as there have been instances when it has proved to be unreliable. In a small number of cases, estimated at 4%, SMS messages can take longer than 1 minute to get through. Other issues could be the network is temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room. It is this argument that has saved physical tokens in the past - but it can no longer stave off the Grim Reaper’s scythe.

With the advent of pre-loaded codes, mobile phones are able to hurdle this final barrier. As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session.

I’ve invested far too much in tokens to change now?
It’s always going to be hard to justify writing off an investment. Yet that’s the sensible thing to do if you don’t want to continue haemorrhaging money supporting an old technology:

• For starters, it is estimated that moving to SMS authentication will reduce ongoing running costs by 40 – 60%! This is substantiated by Gartner with its belief that “SMS OTP approaches the security of a dedicated hardware token, but at a lower cost and with higher convenience.”

• Due to their lifespan, you’ll have to replace all your tokens within the next three to five years. With an SMS system, the majority of your users will already have a mobile phone. If for any reason a user does not have a mobile phone, a voice text can be sent instead to a number stored on the system.

• There is the argument that people do misplace their mobile phones but this is also true for physical tokens. It is people’s attachment to their mobile that is the differentiator as research by YouGov recently revealed that a third of the population would notice they’d lost their mobile phone within 15 minutes and 60% would within the hour. The emotional attachment to a physical token can mean its loss isn’t discovered until the user actually needs to use it which could be hours, or even days, later!

• Using automation, an SMS system can be set up in a day (an average of 300 users per minute) instead of six months. The existing employee database is used with mobile numbers automatically identified. For records where a number is not listed, an email is automatically sent requesting the user to self enrol.

• It can offer substantial benefits for organisations looking to reduce their carbon footprint. It would require 1673 trees to offset the emissions created in deploying 3000 tokens.

Goode Intelligence recognises that pre loaded codes are changing the playing field predicting that “40% of organisations plan to deploy services that will enable employees to use their mobile phone as an authentication device by the end of 2011.”

This is substantiated by our own recent poll, conducted between November last year and January, with 146 people asked: ‘Should SecurEnvoy add support for hardware tokens?’ With an overwhelming 98% responding no, so it’s not just me that believes the physical token is dead.