The most common two-factor authentication tokens are small devices from companies such as ActivCard, Aladdin Knowledge Systems, RSA Security, SafeNet, Secure Computing and Vasco. These devices generate numeric codes that are valid for a limited time or a single use. Some systems require the user to type a challenge string into the token before the passcode is generated, but the level of security for both types is considered similar.
Neither type represents the future of two-factor authentication, according to Steve Hunt, vice president and director of research for security at Forrester Research. "Every token available is a stopgap or migration step towards smart cards," Hunt says.
We agree: Smart cards have the advantage of being multipurpose and can provide physical-premises access along with network and application authentication. They're also familiar to users, resembling credit cards in form and function. So why haven't they become the norm? Because, unlike simple hardware tokens, they require a card reader--a peripheral not yet standard on most enterprise workstations. Until companies like Dell and IBM include readers in every laptop computer and corporate desktop keyboard, hardware tokens, whether handheld or USB, are going to be a primary two-factor authentication method.
Beyond Two
When two-factor authentication isn't enough, a third factor--something you are--is added using biometrics, or identification by way of biological characteristics, such as voice response or retinal scan. Vendors are evaluating ways to make this technology more economical and widely available through devices like USB fingerprint scanners. Right now, though, biometrics is sufficiently expensive to make it of interest only to those securing very high-value information, as in the government and financial sectors.
