By now, you know the drill: Multi-factor authentication, or MFA, requires a combination of something you know and either something you have or something you are. You’ve heard the classic example of the ATM card as a form of MFA; to get your cash, you need to enter your PIN (what you know) along with your card (what you have.)
When you’re trying to log on to a corporate network, though, it’s not as simple as swiping a card and entering a PIN, especially if you are using a laptop computer or mobile device. However, there are a few other ways to provide something you have, and which one is right for you depends on what you need to protect, who is gaining access, and a few other important factors.
Hardware Tokens
Hardware tokens have been in use the longest for MFA; in fact, one might even call an ATM card a type of hardware token. These days, the most common hardware tokens are USB devices that are physically plugged into the computer being used, followed by a password. In some cases, the user must enter a one-time use code that appears on the device (which is the same size as a key fob). The code changes periodically based on an algorithm contained in the device.
Most of us are familiar with this type of token if we have ever used SMS-based MFA. In this case, a smartphone is the “something you have,” and the one time use code you receive via text message works the same way as the code on the token. Since most people always have their smartphones nearby, many companies have shifted toward using them as the hardware as a way to keep costs in check.
In fact, cost and convenience are the two main driving factors in hardware based MFA. However, there are some drawbacks, the first being the likelihood of the device being lost or stolen. Key fob tokens are generally more easily lost than smartphones. And if the token is lost with the device that it’s intended to unlock, then there is nothing to stop a criminal from requesting a new OTU code and gaining access anyway.
Still, this is the most popular option because it is affordable, easy-to-use, and takes advantage of what people are already doing. And if you use a smart card or key fob, and keep it separate from the locked device, you add an extra layer of security should the device be lost or stolen.
When you’re trying to log on to a corporate network, though, it’s not as simple as swiping a card and entering a PIN, especially if you are using a laptop computer or mobile device. However, there are a few other ways to provide something you have, and which one is right for you depends on what you need to protect, who is gaining access, and a few other important factors.
Hardware Tokens
Hardware tokens have been in use the longest for MFA; in fact, one might even call an ATM card a type of hardware token. These days, the most common hardware tokens are USB devices that are physically plugged into the computer being used, followed by a password. In some cases, the user must enter a one-time use code that appears on the device (which is the same size as a key fob). The code changes periodically based on an algorithm contained in the device.
Most of us are familiar with this type of token if we have ever used SMS-based MFA. In this case, a smartphone is the “something you have,” and the one time use code you receive via text message works the same way as the code on the token. Since most people always have their smartphones nearby, many companies have shifted toward using them as the hardware as a way to keep costs in check.
In fact, cost and convenience are the two main driving factors in hardware based MFA. However, there are some drawbacks, the first being the likelihood of the device being lost or stolen. Key fob tokens are generally more easily lost than smartphones. And if the token is lost with the device that it’s intended to unlock, then there is nothing to stop a criminal from requesting a new OTU code and gaining access anyway.
Still, this is the most popular option because it is affordable, easy-to-use, and takes advantage of what people are already doing. And if you use a smart card or key fob, and keep it separate from the locked device, you add an extra layer of security should the device be lost or stolen.
Software Tokens
Some companies have taken the idea of hardware-based tokens and created software versions, which perform the same authentication functions without having to keep track of a physical device. The benefits of software tokens are lower costs, easier deployment, and less downtime due to lost or broken devices.
However, some critics question whether using a software-based token really counts as MFA, especially when the token is located on the same device as what is being protected. However, software tokens are not simply the same hardware token technology transferred to smartphones, but entirely new and more secure. If you’re trying to deploy MFA to a geographically dispersed team, or simply trying to keep costs in check, software authentication might be your best bet.
Biometric Tokens
Finally, biometric authentication is gaining some traction, although it’s nowhere near as widespread as hardware and software tokens. Most of the current biometric technology is limited to smartphones; some devices include fingerprint or facial recognition technology to control access. While this technology is still in the early stages, when you want the most advanced security and need to protect highly sensitive data, biometric tokens may be your best option.
Choosing the right MFA token can make the difference between effectively securing your data and frustration, security breaches, and extra costs. Consider all of your options, and choose the one that makes the most sense for your company’s needs.
Some companies have taken the idea of hardware-based tokens and created software versions, which perform the same authentication functions without having to keep track of a physical device. The benefits of software tokens are lower costs, easier deployment, and less downtime due to lost or broken devices.
However, some critics question whether using a software-based token really counts as MFA, especially when the token is located on the same device as what is being protected. However, software tokens are not simply the same hardware token technology transferred to smartphones, but entirely new and more secure. If you’re trying to deploy MFA to a geographically dispersed team, or simply trying to keep costs in check, software authentication might be your best bet.
Biometric Tokens
Finally, biometric authentication is gaining some traction, although it’s nowhere near as widespread as hardware and software tokens. Most of the current biometric technology is limited to smartphones; some devices include fingerprint or facial recognition technology to control access. While this technology is still in the early stages, when you want the most advanced security and need to protect highly sensitive data, biometric tokens may be your best option.
Choosing the right MFA token can make the difference between effectively securing your data and frustration, security breaches, and extra costs. Consider all of your options, and choose the one that makes the most sense for your company’s needs.