Multi-Factor Authentication Technologies: Hardware Tokens and SMSOctober 15, 2011
In response to increasing demand for multi-factor authentication (MFA), a number of technologies have emerged offering multi-factor authentication that do not involve voice authentication. The two leading multi-factor authentication technologies are hardware tokens and SMS.
Tokens offer and effective if not somewhat expensive solutions to the problem of providing multi-factor authentication.
Token solutions require the bank or agency to issue a hardware device that displays a constantly updated random number. To confirm identity, a user’s access a secure on-line service (such as internet banking) using a PIN or password as in current single factor authentication solutions. However, to gain access to highly secure services, such as transferring funds, the user is required to provide a second authentication factor, the number displayed on the token. This confirms that the user in possession of their issued hardware token, i.e. confirming that the user knows the PIN/password (“something they know”) and has an issued device (“something they have”).
This solution whilst well established and accepted for providing multi-factor authentication for many on-line services in banking, financial and , is expensive to implement and manage as well as inconvenient for end-users. Typically, tokens cost around $10 each. Managing the token, that is issuing it, supporting it in the field (7/24), replacing tokens when malfunctioning or are lost, stolen, damaged or destroyed and managing the communications infrastructure to keep them synchronized is estimated to be about $40 per annum per token.
So whilst effective at providing a multi-factor authentication process, token have tended to be limited to high value niche applications, such as professional or high value clients, where the high cost can be justified.
Further, tokens also don’t solve one of the biggest issues for end-users that is remembering passwords. They also put a further imposition on their everyday lives of having to carry around a hardware token. If they forget the token, then services are not available to them. So often, end-users will leave the token in their laptop bags or stick them to their monitors or PC’s, thus diminishing the added security from the second factor.
SMS offer an alternative to the token utilizing the mobile telephone. In this solution, the secure on-line service issues a SMS containing a number to a nominated mobile telephone. The user is required to enter this number when performing a transaction to confirm they are the legitimate account user.
The solution, whilst effective does suffer from some limitations. Not everyone has a mobile telephone and mobile telephone coverage is not universal. So there could be instances where an end-user is accessing n on-line services but does not have mobile phone coverage to receive the confirming SMS. There is no confirmation that the SMS was actually received and sometimes it may take many hours to actually transmit and received the SMS depending on network congestion.
Whilst, the solution is cheaper than the token, in so far as it uses a technology that the end-user already has – a mobile telephone, there is still considerable expense associated with the approach. There is still a high management overhead associated with the theft or loss of mobile telephones.
However, the main expense item here is the cost of sending SMS’s. Unlike the hardware token, which has a relatively fixed cost; the costs associated with SMS vary depending on use. Costs increase as usage increases, which means that costs associated with SMS multi-factor authentication are difficult to predict, especially when a high number of transactions are used.