Passwords are supposed to protect our digital identities as well as our data. But unfortunately, they are often the biggest security vulnerability. For real protection, at least one more factor is needed. Modern tokens in the context of multi-factor authentication (MFA) provide a solid solution – and users have many different solutions to choose from in this area today.
Tokens for Multi-Factor Authentication (MFA)
A majority of data breaches occur when only a password is used for login in addition to a username. According to a Verizon study, weak or stolen passwords are responsible for a hack 81 percent of the time – up from just 63 percent the previous year. So there’s a noticeable increase in the risks posed by passwords. Most users use surprisingly unimaginative passwords: “123456”, “password” or “qwer” look like an invitation to any intruder.
But even more complex and longer passwords don’t help: Because users can’t remember them, they write them down on the computer or use easy-to-guess schemes for the sequence of numbers and characters. Many users even use their passwords several times in different portals. This makes it even easier for criminals to misuse them.
The second factor in protecting digital identities
But how can we secure our digital identities and data more effectively? The answer is two-factor authentication (2FA) or multi-factor authentication (MFA). MFA is based on the idea that in addition to a password, a user must prove or enter a second factor for authentication that an attacker cannot know or possess.
Typically, this is a “one-time” token – for example, a code a user receives via text message, or a push message prompting “confirm” or “deny” sent to their smartphone. A kind of one-time password is thus generated for each authentication process, which in this case I can only access via an object in my possession (e.g., smartphone). The loss of the password therefore no longer necessarily represents the loss of my own digital identity.
The following overview provides an initial orientation to currently available token types and their usage scenarios. Modern MFA systems allow a combination of different tokens so that a single solution can be used for every application and protection requirement:
SMS tokens are among the most widely used token types today. Users simply receive a code via SMS on their cell phones for authentication. They do not need to install any software or have a smartphone. This method is used in particular as “redundancy” in the event of an error, or for mass rollouts with “heterogeneous” end users.
However, the number of attack points via the mobile network or smartphone platforms is comparatively high. They should therefore be used for non-critical logins or scenarios with low protection requirements.
Hardware tokens are small chip-based devices in the form of a key fob or smart card that regenerate passwords at the touch of a button and display them on the screen – the so-called one-time passwords or one-time passwords (OTP).
A special hardware token type is FIDO U2F. It is based on the Universal Second Factor Standard (U2F), which allows users to reuse an existing token. Hardware tokens have a high level of security, as attacks are difficult to carry out. Due to their low level of convenience, they are particularly suitable for cases in which a high level of protection is required.
Biometric authentication methods are based on authenticating the personal, biological characteristics of people, such as identification via fingerprints or facial recognition. However, these characteristics can change not only due to age or illness.
An immense problem is a susceptibility to an error in terms of false acceptance and rejection, as well as the triviality with which biometric characteristics can be falsified. The use of biometrics also poses various challenges in the area of data protection.
Software tokens basically map the functionality of hardware tokens onto the software. Identical algorithms and processes are used as with the hardware. By using the software token on a smartphone, the user does not have to carry an “extra” device with him. Since the software token is usually executed on a platform that cannot be controlled (smartphone), the security of the token depends on the security of the smartphone.
If the smartphone has vulnerabilities or contains malware, the attacker may have unnoticed access to the token. Software tokens should therefore only be used in scenarios with a normal need for protection.
Push tokens trigger an automatic notification when a user wants to log in or perform a transaction. The push message is sent to the authorized user’s smartphone, for example, where it only needs to be verified by clicking on “OK,” for example. The cryptographic confirmation is then sent directly to the defined endpoint. It is no longer necessary to enter a code.
This process can also ensure a multi-eye principle in highly secure environments such as banks or energy suppliers, where an authorized second person must approve certain processes. Another advantage of modern push tokens is transaction security, where the contents of a transaction can also be secured against manipulation as well as non-repudiation can be realized.
QR tokens realize two main purposes: first, they can be used to enable secure offline authentication – provided the provider does everything right. This is particularly relevant if, for example, company laptops are to be secured by means of a second factor. Without offline authentication, access is not possible during a flight.
Another purpose of QR tokens is to enforce device separation, as required by some regulations. This involves using a public key to generate a challenge, which is scanned and decrypted using the private key on the cell phone. Afterwards, only the displayed value has to be entered or, depending on the situation, it can be transmitted directly and automatically by scanning (in the non-offline case).
Token allocation according to security level and user requirement
Due to the higher level of security, even large tech corporations such as Google or Facebook now rely on multi-factor authentication as part of their identity and access management. In addition, the need is increasing even more with the growing use of cloud environments, remote access, and web applications.
That’s why the German IT Security Association (Bundesverband IT-Sicherheit e.V.) also recommends. (TeleTrusT) also recommends MFA technology in its handout on the IT Security Act for implementing the state of the art. In the future, companies will therefore no longer be able to avoid dealing with the topic and deciding which solution best suits their deployment scenario.
Above all, they should keep the requirements and security levels of their users in mind:
- Will the token be used frequently?
- Does my employee have access to highly sensitive areas?
- Or is the user an external service provider or an intern who is only allowed to access company systems for a limited period of time?
- Modern solutions make it possible to assign tokens on a limited basis according to frequency of use or time periods, so that a user can no longer access a database or perform a login after five uses or after one month, for example.
All these criteria help to rule out any misuse of the tokens as early as the token allocation stage.
In addition to the question of cost, these are also the criteria that should be decisive for each individual company when choosing a token. Each company must ask itself what level of security and usability is required in its own business environment. After all, multi-factor authentication in the context of protecting IT infrastructure and data is no longer an option.