Problem solve Get help with specific problems with your technologies, process and projects.

Two-factor authentication and tokens

An introduction to tokens including how they work, their pros and cons, and the best circumstances in which to use them.

How they work

Used in combination with a user name and password, tokens are a popular means of strong, two-factor authentication (something you know and something you have). There is a wide variety of tokens available, including USB tokens, random-number-generator key fobs that produce one-time passwords and software tokens that emulate the function of a hardware token on a computing device.

Pros and cons

Among the token choices, the USB tends to be the most cost effective and versatile. The USB reader is standard equipment on today's PCs, so a separate reader is not required as it is for other two-factor authentication methods such as smart cards. Unlike random number generators like RSA Security's SecurID, USB tokens provide storage for various certificates and logon credentials, making them more flexible. RSA Security, Aladdin Knowledge Systems, ActivIdentity (formerly ActivCard), Authenex and SafeNet are a few of the vendors offering USB tokens.

However, implementing tokens isn't easy. Token vendors tend to split up their required client software into several discrete components: one for storing network credentials, another for storing Web site information, and a third for VPN credentials. This leads to a need for separate analysis and versioning control of the different software components to ensure compatibility with enterprise desktops. Plus, users are reluctant to carry yet another hardware device in their pocket to access enterprise services, and can easily lose it. Software tokens avoid that drawback, but can only be used on the host where the software resides.

Another problem with most tokens is that the software may leak user names/passwords onto the hard drive. In addition, it's possible to crash the client software (particularly Java-based software) by overloading the processor with multiple tasks operating simultaneously, or tasks like CAD that require large amounts of CPU and/or memory.

What to do

Depending on their security needs and regulatory requirements, companies may want to deploy USB tokens throughout the enterprise for network logon or just for remote access via a VPN or Citrix system.

Two-factor authentication options

  Smart cards
  Safe mode: Danger zone

Tom Bowers

About the author
Tom Bowers is the Security Director of Net4NZIX, an independent think tank and industry analyst group, as well as a technical editor for
Information Security magazine. Bowers, who holds the CISSP, PMP and Certified Ethical Hacker certifications, is a well known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members.

This article originally appeared in Information Security magazine.

Dig Deeper on Identity and access management (IAM) security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.