Another Take on Token-Based Security
- By John K. Waters
Hardware-based two-factor authentication has been around for about two decades, but interest in sign-on solutions that require something you know (your password) and something you have (a hardware token) has recently gotten some serious mass-market attention. High-profile security breeches and spreading consumer fears about ID theft are making the hardware-based two-factor scheme appealing to financial institutions, a growing number of online and brick-and-mortar retailers (including AOL) and a range of enterprises looking to beef up their own network security.
In a recent survey of 8,200 consumers sponsored by RSA Security, one of the leading providers of token-based security solutions, and conducted by Lightspeed Research, 80 percent of respondents said they would have greater confidence in online transactions if their provider offered hardware-based two-factor authenticators.
The problem with this approach, says Stu Vaeth, chief security officer at Diversinet, is that hardware tokens are, well, hardware.
"When you start thinking about having one token for your enterprise access, one for your bank and another one for your online account, you could quickly end up with a janitor’s keychain of hardware tokens," Vaeth says.
So-called strong authentication solutions have traditionally relied on proprietary hardware devices (USB tokens or smart cards) to provide one-time-password credentials for online login access. Diversinet's approach relies on soft tokens, which reside on mobile phones, PDAs and laptops.
Diversinet is billing its MobiSecure PC Tokens as the industry's first Open Authentication Initiative-compliant Microsoft Windows-based soft tokens specifically designed for large-scale One Time Password (OTP) strong authentication deployments by banks, online commerce vendors and service providers.
The company has been in the mobile security business since 1997, originally focusing on Public Key Infrastructure solutions and WAP technologies. The market for those technologies eventually stalled, Vaeth explains, and the company refocused on soft-token offerings that comply with the Open Authentication Initiative's standards for one-time passwords, established last year.
The MobiSecure PC Tokens come in a variety of flavors, including: a browser plug-in that can work directly with the Web browser to provide OTP authentication as part of the user login process; a standalone token, which can run as an application that displays an OTP value upon request from the user; an API token, which allows any PC application to be modified to directly obtain an OTP from the MobiSecure soft token.
Last month (June 2005) Diversinet’s soft-token solution gained major market validation in the form of an OEM deal with VeriSign Corp. The secure-infrastructure company plans to integrate the MobiSecure technology into the VeriSign Unified Authentication solution, which the company provides to enterprises, banks, online service providers, and retailers.
John K. Waters is a freelance writer based in Silicon Valley. He can be reached