The Strong Authentication Battle

Tokens and biometrics are often used to replace insecure passwords. But these strong authentication systems are far from perfect.

Although SecurID has been on the market for more than a decade, it has recently come into public view as phishing, pharming and Trojan horses have become a widespread problem. Last year, for instance, both AOL and E-Trade Securities announced they would make the SecurID token available to any users who requested it. More and more, I'm seeing the ubiquitous SecurID token at conferences when attendees want to access their corporate e-mail. Of course, there's a downside: Leave your token at home and you can't log in. Also, if you have five websites that all use token-based authentication, you'll need to carry around five tokens. This isn't a major inconvenience for people who do Web banking at home once a week, but it is a hassle for people who need to routinely use a variety of token-protected services.

Note that the SecurID doesn't eliminate passwords: It just gives every user a second passwordâ¬one that changes every minute. This means that users can still forget their passwords, which can create headaches for help desks.

Cryptograhic Tokens

Cryptographic tokens are based on public-key cryptography. The token creates a key pair consisting of a public and a private key. The public key is then certifiedâ¬that is, it is signed with the organization's private keyâ¬and the certificate is also stored on the token. To prove your identity to a remote service, you plug the token into a USB port. Your token then engages in a challenge-response protocol with the remote service that proves the token has the private key. The certificate proves that the key is authorized.

The security of this approach comes from the fact that the private key never leaves the token: Unplug the token from the USB port and there is little chance that somebody can pretend to be you. Most cryptographic tokens further lock the private key with a PIN or password. In theory, this prevents unauthorized use in the event that the token is lost or stolen. Alas, research by Ross Anderson at the University of Cambridge in England has shown that it is remarkably hard to build a token that can really make good on these guarantees when it's being tested by a determined and reasonably well-funded adversary. Nevertheless, cryptographic tokens still provide dramatically more security than passwords alone.

But despite their added security, tokens are not foolproof. A person in the office can borrow or steal your token, just as he might borrow or steal your password.