“The recent hack attack on RSA SecurID highlights one of the inherent weaknesses in token-based authentication - it is time for a paradigm shift when it comes to secure authentication."
22 March, 2011: In light of the recent news that hackers have stolen data related to RSA secure tokens, Chris Russell, a leading authentication expert from Swivel Secure, comments on the key weakness of token-based two factor authentication (2FA) and explains why alternative tokenless 2FA technologies offer much greater levels of security:
“The recent RSA security breach has sent a shock wave through the corporate security world, which I believe will be seen by future industry commentators as the tipping point for the authentication sector. For the best part of the last decade or more the RSA SecurID token has been held up as the industry standard for 2FA and has benefitted from the ‘no-one ever got fired for selecting IBM’ adage for far too long in my opinion.
“It is widely acknowledged, even inside RSA itself, that SecurID is not the best solution ‘technically’ for confirming the identity of individuals online, but nevertheless they have continued to grow their market share year on year because, despite the cost and the practical management issues, the perception is that it is reliable and fundamentally secure.
“This particular hack event is really the worst possible thing that could have happened for RSA because it has highlighted the one major flaw in the whole system; it affects not just one organisation but the entire worldwide user base. By compromising the seed algorithm the hackers have essentially ‘burnt’ every token that has ever been issued, leaving users vulnerable to cloning and unable to trust their tokens any longer.
“Now that the cat is out of the bag perhaps more IT security managers will start to believe those of us in the tokenless two-factor authentication camp when we say that tokens are not the universal panacea they might have once thought. It is understandable that some organisations have been reluctant to change from a system that was, apparently, not broken; the fear of change and the perception that migrating to a different technology will be a major headache have helped SecurID retain its dominant position.
“However, in my view this breach has turned those arguments on their head and unless RSA is prepared to recall and re-issue every token, which they clearly won’t, organisations no longer have a realistic choice other than to look for a better solution as fast as they can. Whilst RSA is the one in the dock over this incident the same vulnerability applies to all other token based systems that keep the keys to the castle in one place.
“The question now for those responsible for corporate security compliance is not ‘should’ they dump their tokens, but ‘when’ and what should they put in their place? Swivel’s PINsafe solution has a proven track record in offering a simple upgrade path for the more enlightened organisations who have adopted the technology in recent years. Along with a number of other tokenless authentication vendors, PINsafe leverages existing mobile networks and IT infrastructures to make the token obsolete and redundant, albeit in different ways.
“This approach not only takes away many of the deployment and scalability issues associated with tokens but because the system involves a direct link between the user and the authentication server for each login session, there is no single point of attack that hackers could exploit to bring down the entire user base.
“I believe that token technology of any kind has been fatally discredited through this incident and if any security manager needed convincing they need look no further. If trust is to be restored, SecurID users must start to migrate away from tokens as quickly as they can so they will not be the ones making the headlines when the first serious security incident resulting from this hack is reported; it is just a matter of time.”
Can we help you?
Click here to get in touch or call us:
"iseepr has provided an additional dimension to the face of iCritical's products as well as the company itself. I can honestly say that the literature, web presence and marketing campaigns delivered by iseepr have increased the company’s exposure and raised our professional bar. As an added bonus the team is extremely resourceful and a pleasure to work with"