| |
Tokenless authentication - access for the future?
 |
Two-factor authentication has been around for a while, generally in the form of a token. However it can be cost-prohibitive and we've started to see companies look at tokenless alternatives. What are the benefits? And is there a market for it? We wanted to find out more so we spoke to one of the leading companies in this space, Swivel Technology, about their views on this emerging mobile phone-based technology.
Why go tokenless?
So what's the benefit of going tokenless? Well, the sheer cost of supplying users with
|
the tokens and replacing those that
are lost, means that it is not especially scaleable for large organisations. Add to this the costs associated with administering and managing the solution and it becomes even harder to justify. What's more, if a token is lost, aside from the cost, the solution is rendered redundant: no token = no access. Steve Meredith, Swivel Technology's Marketing Director, says that in their research, they found that users were basically "the weakest
link" with any authentication tool. With the tokens, for example, they've met users who were obviously very
worried about losing their token - so they'd stick them to their PC, or leave
it in their bag with their laptop!
A tokenless solution removes this barrier. Utilising mobile phones (existing established technology) there's no additional hardware cost and users are familiar with the concepts involved. Plus, being physically larger and fairly invaluable
to most people, it's likely that users
will take greater care of their mobile than they may a token. |
|
Most importantly however, by removing the need to ever input the PIN number, a tokenless solution increases security. There is a one time code (OTC) only used once, and two people cannot use it at the same time. So even if the code was picked up one way or another, no one else would be able to use it to access the network.
So what are the benefits from Swivel's perspective?
The main benefits to Swivel's solution seem to relate to cost and usability. With mobile phones as the primary tool, the solution utilises existing technology and is a relatively intuitive option for users - PIN numbers (which they can change if they choose) are commonly regarded as easier to remember than traditional passwords, and the majority of workers are more than familiar with mobile phones.
The lightweight software can be implemented within hours and, without additional tools such as tokens, is quick and cost-effective to scale to any number of users. In fact Swivel claims its solution is typically 40% cheaper than token-based alternatives.
Other benefits include:
| • |
Security - the PIN number is never directly input, protecting against things such as keyboard spyware. The OTC that is input can be used only once, so is useless to anyone who does pick it up. The user's ID is protected during communication with the PC and the authentication server. |
| • |
Flexibility - access methods can be configured to the specific company, division or user. |
| • |
No special client software or hardware requirements. |
| • |
Compatible - as well as internet browser options, it is designed to be compatible with all common global mobile networks. It can also run on all common operating systems and interoperate with SSL VPN and Firewall technologies. |
So will tokenless access catch on - you tell us?
Is tokenless authentication the remote access method of the future? Are the benefits compelling enough, or are token-based solutions more appropriate? Does it sound sufficiently user-friendly? Is it even necessary?
We'd love to hear your thoughts. You'll see a free text box below called
" Reasons for your rating? (optional)". Please use this to tell us whether you think tokenless authentication is the future.
|
 |
|
| |
|
|
|
