Tokens are not only dead - but now they must be buried

… actually, they need to be disposed of carefully and in accordance with the European WEEE directive By Andrew Kemshall, co-founder of SecurEnvoy March 2011 changed things. What do I mean by that? Well, for many years, I’ve argued that hardware based tokens have had their day. In fact, earlier this year, I claimed that …

June 27, 2011 | SecurEnvoy

… actually, they need to be disposed of carefully and in accordance with the European WEEE directive

By Andrew Kemshall,
co-founder of SecurEnvoy

March 2011 changed things. What do I mean by that? Well, for many years, I’ve argued that hardware based tokens have had their day. In fact, earlier this year, I claimed that in 2011 it was the technology that had aligned to hammer the final nail into the physical token’s coffin. Little did I know – well, actually I had a pretty good idea as it was always just a matter of time – that EMC’s RSA division would fall victim to hackers proving my point that hardware based tokens are fundamentally flawed.

Just in case anyone thinks I’m over-reacting, let me take you through the evidence.

1. Manufacturing the token

If someone is involved in the token programming process or the seed record customer delivery process, then that person is open to bribery. By the same token, the software used to program or deliver the keys could be corrupted, compromising the keys.

­Specifically with the RSA predicament – assuming production has to be ‘ramped up’ to cope with the demand to manufacture 40,000,000 replacement tokens, which is over and above the usual levels and a pretty safe assumption – then I believe quality is going to suffer.

2. Deployment

Right from the start, token deployment has proven time consuming and expensive:
­
It will take up to six month for 1,000 tokens to be distributed, with many sent using a postal system to remote workers. That’s six months wondering if you’re going to be breached whereas rolling out a soft token system, which utilises SMS technology, to 18,000 users can be done in less than an hour.
­
When you look at the costs of getting these replacement keys to users, covering direct and indirect costs for the organisation concerned, a conservative estimate puts this at £100 per key. Across 1,000 users that’s £100,000. I haven’t heard RSA say they’re going to offer to compensate their customers so this is a hit the organisation will have to stomach.
­
Even then, that’s not the end as you’ll have to continue to manage these tokens and replace them as they break or are lost. Whereas, it is estimated that moving to tokenless authentication will reduce ongoing running costs by 40 – 60 percent.
­
The planet will also have to pay as the environmental cost for producing and distributing the replacement 40,000 tokens works out at around 4.3 million tonnes of CO2 or, for those who like a visual representation, that’s the equivalent of chopping down 240 million trees. With soft tokens, not even a branch has to be sacrificed.

3. Sowing the seed

In case anyone thinks I’ve got a vendetta against RSA, I just want to categorically state that I don’t, it’s against all hardware tokens or soft tokens for that matter that are pre-programed, regardless of who makes it, if you’re allowing this third party to store your seed records within its own database. The fact is it has been proven that this information can be compromised – I’ve said it before, and I’ll say it again, the most secure method of two-factor authentication is to randomly generate any required keys within the customer’s own environment.

As replacing the tokens doesn’t actually address this critical flaw, who’s to say whether next month, in six months or next year this whole process will have to be repeated as the seed records have been breached again? Well, I’m going to stick my neck on the line and say – yes, it will, and again and again and again until everyone learns the very expensive lesson and stops handing over the keys to their kingdom to someone else. You have to be responsible for your own security.

4. The cat’s out of the bag

This brings me on to my final point – before the RSA hack, few people really understood what the real value of these seed records was. Following all the publicity, and especially the successful attack on Martin Lockheed, now everyone knows.

You can bet your bottom dollar that criminals aren’t going to sit back and let the opportunity pass. If you continue to put the keys to all the vaults in one central vault it’s going to be too irresistible for criminals – and profitable if they’re successful. Again, for those of you who prefer a visual representation, it’s the equivalent of everyone who has a Yale lock on their front door giving a spare key, complete with address, to someone who’s already proved they can’t be trusted to keep it safe. Can that really be considered due diligence?

If you’ve only got your own seed records a) they’re not much of a target and b) if they have broken in, then the seed records being breached is the least of your problems.

Isn’t there a better way?

I’m sorry to harp on about it but, with the RSA breach, organisations really need to think long and hard before they accept the offer of shiny new, but ultimately flawed, replacement tokens.

If you don’t generate each of your tokens seed records within our own company then you’re not in control of your own security. I urge you – don’t delay, bite the bullet, write off the investment so far, and change to an authentication system that puts you in control before it’s too late.

Categories:

Resources

Top Strategic Technology Trends for 2021: Privacy-Enhancing Computation

White Paper | Behavior detection & predictive analytics Top Strategic Technology Trends for 2021: Privacy-Enhancing Computation

R3
Quartz™ Magazine - The New Age

Case Study | Consultants Quartz™ Magazine - The New Age

TCS Financial Solutions
Quartz™ Magazine - The Future will be Tokenized

White Paper | Infrastructure/architecture Quartz™ Magazine - The Future will be Tokenized

TCS Financial Solutions
Euroclear Finland Modernizes with TCS BaNCS for Market Infrastructure

Case Study | Behavior detection & predictive analytics Euroclear Finland Modernizes with TCS BaNCS for Market Infrastructure

TCS Financial Solutions