For a long time, data security managers in companies have considered systems based on physical security tokens as the authentication solution offering the best level of security. Based on two authentication factors and on the principle of the one-time password (OTP) changing every minute, they were considered very difficult or even impossible to fault.
However, the cumbersome nature of their administration (management of token delivery, life cycle management), together with their total acquisition cost, limited their large-scale deployment, often reserving them for post-consumer uses and users. high risk (top management, banking transactions, etc.).
In addition, thetheir adoption was hampered by a relative complexity of use (very short validity of the codes), in addition to some security alerts.
Despite these imperfections, physical security tokens are still widely used as a strong authentication solution in many large organizations. But several factors can now lead these organizations to question this choice.
The first is the proliferation of mobile users. Physical tokens are well suited when all users are working on company premises, but much less when they are often on the move, and need to access their data remotely. The distribution and management of physical tokens then becomes more complex and opens the way to security risks.. The accelerated growth of teleworking caused by the current pandemic has of course accentuated this phenomenon.
The smartphone, the ideal authentication tool
The second is the widespread use of smartphones, which have become the ideal tool for multi-factor authentication (MFA) solutions.
Indeed, the daily use of smartphones by the vast majority of the population in developed countries allows the deployment of MFA solutions on a very large scale, both by employees and business customers. This eliminates the need to provide additional equipment and eliminates the costs associated with deploying and maintaining physical tokens. On the other hand, the integration of biometric reading functions in smartphones allows them to be used as trusted terminals with a high level of security.
Note that other equipment – computers for example complying with the new FIDO standard and integrating biometric functions such as Windows Hello or Apple TouchID, more and more present on the market, can also serve as trusted terminals in a strong authentication solution, in addition to smartphones.
Finally, by associating on a smartphone the sending of a push notification and a biometric reading within a multi-factor authentication process, the user benefits from an experience that is both simpler and more practical than during the use of physical tokens.
Immediate or gradual migration
Therefore, two possible choices are available today to many companies.
Or make two multi-factor authentication solutions coexist, the existing one based on physical tokens, and a new one based on the use of smartphones or other computers to the FIDO standard, which will allow them a gradual migration.
Or, if multi-factor authentication has become necessary and mandatory for all access of their users, to standardize from the outset the use of smartphones and biometric reading equipment, by abandoning the use of systems based on physical tokens.