Stronger protection for company resources demands strong authentication protocols. Authentication tokens are solutions to address the ever growing unauthorized access challenges. But along with emerging new technologies, authentications token technology and designs are also shifting. This article takes a look at the shifting trend of this token devices approach and technology.

As we become more and more internet oriented individuals and organizations become more and more dependent on digital computing environment, the risks involved, also grows at phenomenal speed. New advanced and intelligent tools and techniques have sharpened the skill of cyber criminals multiple times than what they were ever before. New sophisticated and complicated hacking methods have made administrators’ lives miserable. Each and every day, CIOs are under tremendous pressure due to ever growing internet attacks and finding it tough to prevent theft of sensitive data and information.

Authentication devices or tokens are one of the most probable solutions, which help to prevent intrusion, data theft and most importantly protect organization’s reputation. There are several authentication tokens are available in the market globally from different authentication device vendors. In this article, we will discuss the nature of these devices, their benefits and future trends.

Market Size

Every internet user who uses a user-name and password to logon to his email, social networking site, corporate intranet or online banking account is a potential user of authentication tokens. So, the market for Authentication tokens is as large as the population of India and number of business entities put together. Each person can have its own Digital Identity stored in a Secure PKI Authentication token that it can use to Authenticate all kind of On-line Services (Online banking, Email Services etc) and Signing of documents (filing of income tax returns, commercial tax returns etc). There are 1.7 billion internet users worldwide—that’s how big the market is.

Experts believe that in 2010, the authentication market can service over 2 billion users. Each user can access multiple applications, so the number of applications to be secured is higher than 2 billion. In India, experts see that the banks are increasingly following the banks worldwide in the adoption of strong authentication. In enterprise security we see that remote access and VPN connections are becoming more common and have gained in popularity. This creates additional opportunity for the adoption of strong authentication. Furthermore Indian companies are also embracing SaaS applications which also can be secured with two-factor authentication. Survey says in 2003, the authentication token market was around $1.8 billion. Today it stands at $5 billion.

Considering the scalability limitations of hardware tokens, Experts wouldn’t expect them to get more than 10% of the new unit sales of authentication tokens. Gartner expects the software-based authentication products to generate $381 million revenue in 2010. Experts from Portwise expect a large percentage of software authentication tokens will be mobile phone-based authentication tokens. A report by Goode Intelligence forecast that mobile phone-based authentication products and services will generate US$153 million in 2010 and that the market will grow to almost US$760 million in revenue by 2014.

Experts from Vasco believe that among 2 billion users, over 1.5 billion is open for software authentication. In India, Vasco experts see that one button authenticators remain very popular because of their easy of use and easy deployment. They however see a growing interest in software based authentication because end-user do not need to carry an extra device and the cost associated with the deployment of software based solutions. Furthermore India is a large country. As a result software authentication becomes more appealing.

Hardware Token vs. Software Token—Who is Ahead?

Physical tokens are designed to be tamper resistant, which is an important property. By design, if a physical token is tampered, the internal storage of the token's "seed record" (symmetric key) is lost, in an attempt to prevent a physical attacker from duplicating the token. Soft tokens, however, do not share this property. Soft tokens are comprised of two components: 1) the software application code that implements the one time password function and 2) the seed record used in the application to generate the one time password function's output.

"Perfect Duplication" is a property of the Internet/Information Age that is shaking the world. The Recording/Movie Production Industries are having a hard time fighting perfect duplication as a means to circumvent licensed use of digital media. Perfect duplication can be a business enabler as well, as it is with news syndication services that distribute perfect copies of their stories throughout the far reaches of the world in a matter of seconds. In the case of soft tokens, though, perfect duplication is a deal breaker.

Soft tokens are designed to be flexible. It's difficult to provision a hardware token to an employee halfway around the world the same day of the request, but with soft tokens provisioning is a piece of cake. Likewise, it's easier to recover soft tokens when that same employee is terminated. Soft tokens run on virtually any platform. RSA supports everything from Windows Desktops to Browser Toolbars to Mobile Devices—all you need to do is import the seed record.

Distributing seed records to many of the supported platforms of soft token vendors involves plaintext transmission, such as sending the seed record as an email attachment to a Blackberry client. An administrator may provision the seed record encrypted using an initial passphrase that is distributed out-of-band, but it is common practice for seed records and initial passphrases to be distributed side-by-side. Whereas a physical token can only be in one place at a time, a soft token could be perfectly duplicated by an eavesdropper, even complete with its initial passphrase (especially when it isn't distributed out of band). If Alice receives her soft token and changes its passphrase, Eve could keep her perfect copy with the intial passphrase or choose to change the passphrase—either way, the back end of the one-time-password authentication system will receive a valid token code (time value encrypted with the seed record).

Likewise, a soft token employed on a malware-ridden remote PC could have its stored contents uploaded to an adversary's server, capturing the seed record. If the malware also captures keystrokes (as software keystroke logging is so common these days), then another opportunity for a perfect duplicate exists. Soft tokens are vulnerable to severe distributed key management problems. Bob (the administrator in this case) cannot know if the one time password was generated by Alice's soft token application or Eve's perfect duplicate.

Like any other product Authentication Token market is also undergoing its own life-cycle and learning curve. Software authenticator has certain appeal elements (primarily the perception of Zero Cost of Goods and hence ability to drive down the pricing, not having to deal with inventory of hardware tokens, and time that it takes a faulty/lost token) that are making market explore this option. Rana Gupta, Business Head, India & SAARC, SafeNet, says, “It is too early to say that Software Authenticators have or will take over the Hardware Tokens. They have their own set of challenges and I believe market will learn from its experience and decide how to judiciously make use of the two form factors available at its disposal.”
Hardware tokens have well documented limitations. They have prohibitive cost of procurement, distribution, upgradation and replacement. They don’t protect against emerging threats, such as man-in-the-middle attacks. They are not able to provide out-of-band authentication. Users are forced to carry an extra device—a user would end up with multiple tokens to be able to use different services. That’s why Tejas Lagad, Director, Product Management, BFSI, PortWise, believes that mobile phone-based authentication tokens tide over all these challenges without compromising on security. Goode Intelligence predicts that within the next 18 months, hardware authentication vendors will lose market share to mobile phone authentication specialist vendors.

Rajiv Chadha, Vice President, VeriSign says that software tokens are fast catching up with the hardware tokens and becoming popular. Mobile computing is driving this big shift. Software tokens should overtake hardware tokens in the long run. Mobile is a ubiquitous device in the Indian market with more than 300million mobile users. Its convenience to carry only one device i.e., a mobile is an easy device to download application. Hardware tokens on the other hand involve dispatch, maintenance, loss or damage etc vis-à-vis a mobile token which is just another application in ones mobile. Gurudutt Shenoy, Founder & CEO, EasySecured Software also believes that market penetration depends more on marketing than technical qualification. Software tokens are easier to mange than hardware tokens.

But Vikram Gidwani, Sales Manager—India, Vasco has a different perspective on this altogether. He says that it depends how you look at it. Few vendors offer soft- and hardware authentication security based on one and unique server platform. He does not think it is an “or/or” discussion. He believes that hard- and software authentication will co-exist next to each other. It all depends on the type of application you need to be protected. Security is always a trade-off between pure security, ease of use and TCO (Total Cost of Ownership). So, it is obvious that for “low-value” or “low-risk” applications (consulting frequent flyer miles, access to online newspapers…) software authentication could be used. For “high risk” or “high value” applications (online banking, brokerage, corporate applications such as cash management…) hardware authentication could be used. Vikram Gidwani expects both the market for software and hardware authentication to keep growing during the next years.

Future Trend in Technology and Design

Experts and analysts believe that world will soon see a convergence of physical and logical authentication tokens. Mobile phones with Near Field Communication (NFC) will allow the mobile phone to be used like a contactless card so users can gain physical access to secured premises. The same mobile phones will also carry software-based tokens that can authenticate users to applications and also generate transaction signatures to counter man-in-the-middle, man-in-the-browser attacks.

Where hardware tokens are employed, the form factor will be card that can fit easily in a wallet. The cards will have an embedded RFID chip to allow holders to gain physical access to secured premises. These hardware tokens cards will also have a digital display and PINpad so users can generate transaction signatures. Hardware tokens will be based on the OATH-standard to ensure interoperability.

End users will be able to access multiple applications with one single authentication credential. That will be the biggest change. With regards to design, several changes can happen. But ease of use, environmental aspects and platform related security will be further developed. As hacking attempts become more sophisticated we also see a trend towards “what you see is what you sign” providing authentication solutions with a large screen offering the possibility to the end-user to read and validate the transaction data on the screen of the authenticator before signing them.

The future is in biometric solutions on a mass scale coupled with more intelligent design of software to manage the authentication process.

Two factor or Multifactor?

Security will always be built on a layered approach. Depending on the nature of exposure of an enterprise in the online world, they can upgrade to a 2FA. Two-factor authentication (2FA) is a stronger form of verification and is fast gaining in popularity. 2FA reduces the risk of fraud because it combines what the end-user knows - user name and password-with what he has - such as, a one-time password (OTP) generated by a physical device or the mobile phone. A user can't successfully sign on without both.

The next step is the Fraud detection services (FDS) which is based on the consumer behavioral analysis. An advanced Fraud Detection Service has the capacity to process more than a thousand transactions per second to detect anomalies in real-time. A rules engine and a self-learning behavior engine process each event to determine risk based on pre-determined parameters including location, device, time, network address, transaction type, and user information. If the risk threshold is exceeded, the intervention engine can be invoked to require a higher level of authentication. Fraud investigation and case management tools help internal teams investigate and resolve potential fraud quickly and efficiently.

The cost of biometric authentication readers is still prohibitive. There have also been concerns about the accuracy of biometric authentication. As per a report by National Institute of Standards and Technology (NIST), the best system was accurate 98.6 percent of the time on single-finger tests, 99.6 percent of the time on two-finger tests, and 99.9 percent of the time for tests involving four or more fingers. As per the Biometric Committee Report of Unique Identification Authority of India (UIDAI), for a single person the amount of biometric data stored will be equivalent to 10,215 TB!
With more and more people using wireless technology, the future is not only on whether it is two or multi factor but also how securely the information is transmitted stored and transmitted. Few experts feels that there will be urge to having 3-factor Authentication based on—what you know, what you have and who you are. But for almost all purposes, an Authenticator can just be two-factor while serving multi-factor Authentication.

Where Is It Heading?

As the sophistication of criminals grows exponentially, there is a growing realization that strong authentication based on two-factor or multi-factor authentication is not enough to solve future crimes. The future lies in adaptive, context-aware, versatile authentication services that are layered and pervasive. In the future secure access for mobile and fixed computing will also cover assessment of end user devices and abolishment of traces left behind by the user.

Experts from VeriSign believe that the future trend is going to be mobile based tokens, which are covering a larger user base, network based tokens, i.e., one token for multiple sites / enterprises and in the cloud service. EasySecured experts feel that the trend will be in wire-less or zero-point authentication technology which works just like a cellphone or something embedded in the cellphone like the sim card and which will authenticate other hardware devices or software applications.

—By: 'InfoSecurity' Bureau.