RSA blog: Renaissance of the OTP hardware token

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with RSA’s long history of its SecurID one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have been a great business for RSA and lately are undergoing a renaissance with a newfound interest among security managers. In this month’s blog, I take a look at this evolution, why the hardware token is coming back, and what are some of the current trends in multi-factor authentication (MFA) too.

Today’s hardware token has gotten more sophisticated than that original fob that just displayed a series of those OTP random digits. This was partly a necessity, since their use always has been somewhat cumbersome for both end users and security managers alike. (I mentioned this drawback in one of my reviews of MFA tools in Network World in 2013, when I said that “toting around tokens means that they can get taken, and in a large enterprise, hardware tokens are a pain to manage, provision and track.” Still, this review in 2012 mentioned this attraction for using hardware tokens: “They don’t require app developers to rewrite their apps from scratch, and the hardware token provides us with the level of security assurance we want and need. We’ve been carrying tokens around for 25 years; I wonder if they’ll make 50?” I think we can safely say that tokens will have this longevity.

In 2016, several vendors released smarter hardware tokens that came with encryption keys or encryption engines embedded. This made them easier to use, because of push authentication methods that eliminated a few steps. More recently, there have been other vendors who have released hardware tokens that support the Fast Identity Online (FIDO) protocols, so a single token can work with a variety of authentication servers. In the past, each fob was married to a particular server, which meant users had to cart around a collection of tokens if they needed to login to multiple servers and cloud-based services.

As the tokens were getting more capable, the demand for better MFA security was also increasing. Remote workers were on the rise, and earlier this year travel restrictions and flight cancellations because of the coronavirus made remote work more necessary and acceptable. That in turn drove increased demand for better authentication methods such as both hardware and smartphone-based tokens. A good case study is the US Army, which is expanding its MFA coverage to National Guard members and first responders to use hardware and smartphone tokens.

At the same time, this increased demand didn’t escape the criminal world, who began to focus on ways to exploit MFA weak points, especially SMS-based MFA methods. The FBI issued warnings last fall that documented various techniques to bypass MFA methods, including swapping out cellphone SIM cards, using specialty-designed malware to automate MFA phishing schemes and employing social engineering methods to fool users into providing the OTP digits in real time. At the RSA Conference last month, researchers documented new methods to get around the MFA smartphone apps by using outdated phone operating systems, attacks called Android screen overlays that fool users into entering the OTP codes or other compromises to the kernel mobile phone OS itself.

Where do we go from here with deploying MFA? Here are a few thoughts. First, you need to take a step back and craft a solid access and authentication management strategy for your entire enterprise out of whole cloth. You should examine whether every user needs a hardware token and for all their access methods. Instead, focus on the relative risks. For example, tokens are a good idea for those users who handle money transactions, but perhaps not if their jobs are on the factory floor. Next, think about how you handle your partners and customers’ transactions, and how to beef up their logins. Getting hardware tokens registered and eventually revoked to anyone who isn’t a full-time employee is still painful. And also consider whether you should mix and match hardware and smartphone MFA apps, especially when the application circumstances and risk profiles dictate.

Finally, consider how to authenticate cloud apps. Some clouds support standards that make integrating smartphone MFA apps easier, so that might be a better solution. At the end of the day, having more MFA is usually better than no MFA, but it should be deployed intelligently and carefully.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.