Organizations replace usernames and passwords with one-time passcodes
More than the football-shaped tokens to choose
18 June, 2013
category: Corporate, Digital ID
Defining the options
The keyfob-style one-time passcode token is considered the lowest common denominator for adding strong authentication, says Julian Lovelock, vice president of marketing at HID Global Identity Assurance.
“These solutions have been around for a long time and are well proven,” he says. “The flipside is they tend to be expensive costing $50 to $60 for each token. Then there’s the cost of getting tokens to the end users and replacing them. There are cost factors from both a capital expenditure perspective and a logistical perspective.”
Costs can be reduced using software-based OTP on a mobile device, tablet or PC, Lovelock says. “This is a cheaper option because you don’t have to pay for hardware or the logistics of shipping tokens,” he adds.
End users often prefer this option because they don’t have to carry an extra token, Lovelock says.
Another option in the same vein as one-time passcode is out-of-band authentication, Lovelock explains. This doesn’t require any software on a device and doesn’t even require a user have a smart phone. Instead a user receives a text message with the passcode to enter. There are systems that will even call the individual and speak the code if texting in not an option.
Out-of-band systems are typically priced on a per transaction basis so they’re often used when no other options are available or for very high-value transactions. “If you have many users logging in many times throughout the day the cost will add up,” Lovelock says.
Another option has emerged that doesn’t require users to do anything. Called transparent OTP, this solution uses a piece of script to generate a passcode without user interaction. It runs in the background of a browser and communicates with the servers for authentication to a system.
“Individuals have a user name and password in place but the organization has put this transparent OTP under the covers so that the access is bound to the device and user,” says Lovelock. “The individual can only login to the site with that device.”
Deployment
OTP can also be relatively quick to deploy, taking two to three days at most and in some cases can be done in half a day with little to no interruptions of the network, Gemalto’s Wizbowski says.
The backend infrastructure for all types of OTP is similar, Lovelock says. The bigger time issue will be adding the OTP hooks into the different applications, depending on where the enterprise wants it used.
Depending on the size of the deployment, the longest time may be getting tokens to the users, Lovelock says. Organizations may also want to keep in mind that one type of OTP might not be best for every employee.
“You might have some that are tech-savvy and can give the mobile software while others might do better with hardware (tokens) or an out-of-band solution,” he explains.
An enterprise will also want to think about user experience. In years past IT would implement security controls regardless of the load on the end users, says SafeNet’s Young. “They weren’t concerned about the usability,” he says. “Smart phones and Apple products have made individuals less tolerant of dramatic user experiences.”
Deploying a cloud-based infrastructure will also make deployment quicker, Young says. SafeNet has a cloud-based authentication system that can get users up and running in the time it takes to show an organization a demonstration of the system. “A demo can turn into a proof of concept and by the end of the meeting, it’s a live environment and they can get up and running,” he adds.
An enterprise can also opt to have SafeNet run the infrastructure rather than dedicate employee time to doing it, Young says.
Lovelock agrees that cloud-based systems can reduce the cost of deployment. “It removes the need to deploy a server on premise,” he says.
Cost
Size of the deployment is what impacts the cost most, Lovelock says. A large organization, like a bank rolling out a software-based OTP to its customers, would pay less than $1 per user. The cost would be about the same for a transparent OTP.
A small enterprise, 50 to 60 users, would pay $20 to $40 a users, including infrastructure costs, Lovelock explains. An out-of-band solution will charge based on the number of messages sent throughout the course of the year, which typically works out to less than a nickel each.
Regardless of the solution an enterprise selects, Lovelock cautions to leave room for growth and choose an infrastructure that will enable other technologies down the road.
“Choose a solution that gives you the flexibility to deploy different authentication technology for different users,” he explains. “Don’t tie yourself into one … you’re requirements today might be very different than tomorrow.”