How they work
Used in combination with a user name and password, tokens are a popular means of strong, two-factor authentication (something you know and something you have). There is a wide variety of tokens available, including USB tokens, random-number-generator key fobs that produce one-time passwords and software tokens that emulate the function of a hardware token on a computing device.
Pros and cons
Among the token choices, the USB tends to be the most cost effective and versatile. The USB reader is standard equipment on today's PCs, so a separate reader is not required as it is for other two-factor authentication methods such as smart cards. Unlike random number generators like RSA Security's SecurID, USB tokens provide storage for various certificates and logon credentials, making them more flexible. RSA Security, Aladdin Knowledge Systems, ActivIdentity (formerly ActivCard), Authenex and SafeNet are a few of the vendors offering USB tokens.
However, implementing tokens isn't easy. Token vendors tend to split up their required client software into several discrete components: one for storing network credentials, another for storing Web site information, and a third for VPN credentials. This leads to a need for separate analysis and versioning control of the different software components to ensure compatibility with enterprise desktops. Plus, users are reluctant to carry yet another hardware device in their pocket to access enterprise services, and can easily lose it. Software tokens avoid that drawback, but can only be used on the host where the software resides.
Another problem with most tokens is that the software may leak user names/passwords onto the hard drive. In addition, it's possible to crash the client software (particularly Java-based software) by overloading the processor with multiple tasks operating simultaneously, or tasks like CAD that require large amounts of CPU and/or memory.
What to doDepending on their security needs and regulatory requirements, companies may want to deploy USB tokens throughout the enterprise for network logon or just for remote access via a VPN or Citrix system.
Two-factor authentication options
Safe mode: Danger zone
About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group, as well as a technical editor for Information Security magazine. Bowers, who holds the CISSP, PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members.
This article originally appeared in Information Security magazine.
Dig deeper on Identity management and access controls