 |
Hardware Tokens: A Hands-On Look
Token-Based Authentication
We focused on challenge-response tokens and not on smartcard-based devices. Most tokens are credit-card-sized or smaller with internal chipsets programmed to calculate complex algorithms. Some algorithms are proprietary (like SecurID's) while others rely on the standard DES-based codes. Tokens may have a user-input interface--in the form of a keypad--or none at all. Most input is solely to allow PIN entry to "unlock" the card and let the user see the proper pass code. Some cards offer additional authentication schemes or programmability that can be selected through this interface. Some vendors offer other gimmicks, such as a calculator or light-sensitive inputs. None of these additional features change the basic idea behind a token--it is something the user holds, verifying he or she is authorized to have access.
In choosing a token solution, it is important to review the actual hardware that your users will employ. Several key areas to consider are battery life, displays, interfaces, programming, size and durability. All tokens run on batteries; most will run from two to five years before the battery will need to be changed or the token replaced. Output displays typically are LCD-based though the quality and clarity of these screens varies greatly. A token should be easy to read at a glance when next to your keyboard or monitor. Consider if the interfaces on the token are easy to work with, if programming can be accomplished quickly and accurately, and if the size of the device is conducive to easy handling while not being easy to misplace. Finally, consider durability. In an interesting and unplanned test, one of our SecurID key fobs was inadvertently sent through a washing machine (warm wash/cold rinse). In this new level of testing for Network Computing, the key fob survived and continues to function flawlessly.
It's worthwhile to consider some other potential "bad token scenarios" and their ramifications. Although we couldn't stress-test the durability of the vendors' tokens, some (such as Vasco's Digipass 300) seem to be more fragile than others. Then there's always the potential of loss or theft. It will mean downtime for your user and administrative headaches if new tokens need to be issued and the missing token must be disabled or invalidated. Finally, you might just forget to take your token with you.
|
|
REPORTS
ANALYTICS
Follow 
