How they work
Used in combination with a user name and password, tokens
are a popular means of strong, two-factor authentication (something you know and something you have). There is a wide variety of tokens available,
including USB tokens, random-number-generator key fobs that produce one-time passwords and software
tokens that emulate the function of a hardware token on a computing device.
Pros and cons
Among the token choices, the USB tends to be the most cost effective and versatile. The USB reader
is standard equipment on today's PCs, so a separate reader is not required as it is for other
two-factor authentication methods such as smart cards. Unlike random number generators like RSA
Security's SecurID, USB tokens provide storage for various certificates and logon credentials, making
them more flexible. RSA Security, Aladdin Knowledge Systems, ActivIdentity (formerly ActivCard),
Authenex and SafeNet are a few of the vendors offering USB tokens.
However, implementing tokens isn't easy. Token vendors tend to split up their required client
software into several discrete components: one for storing network credentials, another for storing
Web site information, and a third for VPN credentials. This leads to a need for separate analysis and
versioning control of the different software components to ensure compatibility with enterprise
desktops. Plus, users are reluctant to carry yet another hardware device in their pocket to access
enterprise services, and can easily lose it. Software tokens avoid that drawback, but can only be used
on the host where the software resides.
Another problem with most tokens is that the software may leak user names/passwords onto the hard
drive. In addition, it's possible to crash the client software (particularly Java-based software) by
overloading the processor with multiple tasks operating simultaneously, or tasks like CAD that require
large amounts of CPU and/or memory.
What to do
Depending on their security needs and regulatory requirements, companies may want to deploy USB tokens
throughout the enterprise for network logon or just for remote access via a VPN or Citrix system.
Two-factor authentication options
Tokens
Smart cards
Biometrics
Certificates
Safe mode: Danger zone
About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group,
as well as a technical editor for Information Security magazine. Bowers, who holds the CISSP,
PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage
prevention, global enterprise information security architecture and ethical hacking. He is also the
president of the Philadelphia chapter of Infragard, the second largest chapter in the country with
more than 600 members.
This article originally appeared in Information Security magazine.
