Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Securing the IoT with the Help of Multi-Factor Authentication

SMS Passcode : 30 July, 2015  (Special Report)
David Hald of SMS PASSCODE explains how multi factor authentication can be used as a robust security measure for the Internet of Things
Securing the IoT with the Help of Multi-Factor Authentication

The Internet of Things (IoT) is creating opportunities and challenges that the world could barely dream of just a few years ago. And it’s catching on fast. ZK Research reports that the IoT will have 50 billion endpoints by 2020. As more organizations adopt cloud-based services, and as they create BYOD standards to accommodate more remote work scenarios, they will need strong user authentication like never before.

Since the Internet began, security and user authentication have been issues. An early solution was hardware tokens. Despite their initial popularity, however, tokens have proven to be a cumbersome, inefficient method. New technologies today are more secure, more user-friendly and much cheaper to use and manage. In addition, these newer authentication methods can increase user productivity at the same time. IT professionals deserve to understand all their authentication options – with or without tokens – so that they can make the best decision for their organizations.

Bidding Hard Tokens Adieu

Hardware tokens were popular in theory, but not in practice. Many IT admins have reported that their users never really embraced tokens and that they often went unused, putting individual and organizational data at risk. In contrast, a token-free approach is much easier to use. People use their mobile phones’ texting capabilities every day, so the one-time password (OTP) received via users’ phones encourages security compliance. Users also benefit from greater flexibility and convenience by implementing an authentication solution that includes multiple delivery options like SMS/text, voice calls, email, etc. to help overcome the users’ fear of not being able to log in.  

In contrast to hard tokens that always display a code, how does this impact the service?

If an OTP cannot be delivered via the primary delivery method, then a failover mechanism should automatically kick in and deliver the OTP via a secondary method. This increases efficiency and certainty that OTPs will be delivered in a timely manner and that users will be able to log in. Ideally, an authentication solution should use contextual intelligence to automatically detect where the user is logging in from and dynamically choose the most appropriate OTP delivery method based on the user’s location. The reliability and configurability of this token-free approach offers convenience and ease of use to not only your employees but to the IT department as well.

Fast and hassle free set-up is another plus of token-free authentication. A token-based approach can take over a year to implement. Token-free authentication, however, can sometimes be implemented in less than a day. The huge difference in convenience between an entire year of integration versus a day is clear.

Authentication in Real Time

In contrast to OTPs, most token-based authentication methods use pre-issued, one-time passcodes that are based on a seed file somewhere. This means they are vulnerable to hacking. In one form of malware attack, the users’ credentials are hijacked — including the token—and these credentials are sent to the hacker via instant messaging. A pre-defined authentication code can be stolen and used for another login. That means the system’s security can be significantly compromised, and the code can be exploited by phishing.

What makes these remote logins even safer is the use of a challenge-based approach in token-free authentication. A challenge- and session-based, real-time authentication solution, for example, only generates a code after the user session has been confirmed. Once the username and password are validated, the solution generates the code. This method offers visibility into which device the login request is coming from. The solution then links the code to the session-ID so that the code—received via mobile phone—can only be used on the device that the request was initiated from and only for that particular login session. That approach is in contrast to hardware tokens, where the codes are not session-specific, meaning that anyone in possession of the token can use the codes. A challenge-based, session-based code helps protect against sophisticated attacks such as real-time phishing and man-in-the-middle attacks. Token-based authentication, by its very nature, cannot match this level of security.

Comparing TCO

An initial examination of a hard token-based system may give the impression that it is less expensive that a token-free one, but hidden fees and maintenance costs abound. In addition to the license fee, there might also be a consultant fee. There are also staff costs to administrate the system. All of these elements require financial outlay and should be factored into the total cost of ownership (TCO). To determine the final TCO of an authentication solution, use this TCO calculator for an accurate assessment of how much your solution will actually cost.

Part of that calculation must include lost time when an employee cannot work due to a forgotten, broken, lost or stolen token. Hardware tokens typically cost between $50-$300 just for the hardware. If you pay someone $30-$50 per hour, for example, and your employee on average loses one hour per month in lost productivity due to not being able to login because he/she forgets the hardware token or it gets out of sync. That’s $600 dollars per year in lost productivity per employee. Your loss in productivity quickly becomes more costly than the entire solution itself.

Take Back Your Productivity

When you implement a hard token solution, you introduce a solution that your system is dependent on in order to function. Now, imagine that you have no way to control that dependency. The net result is a decrease in productivity. In terms of authentication tokens, should a user somehow lose a token, the user cannot log on and perform his or her job, then the company is losing productivity. IT admins are losing productivity as well, since they must manage the needs of those dependent on this system.

No one looks for ways to add dependencies to their organization. A more efficient method is to use mobile phones in the authentication process. The mobile phone is one of the top things that individuals never forget. By using that device as a token log-in, you greatly increase productivity and, in turn, security. So, by using a token-based approach, even if it were free, you would be losing money because it would negatively impact your productivity. However, by integrating a token-free approach into your system, you increase your ROI and save money and time in a single move. This will reduce downtime and lead to productivity gains.

User Authentication Comes Full Circle

Authentication was already a challenge, but the IoT has introduced new complexities and threats that must be addressed. What’s worked, or at least mostly worked, before will not work now. The game has changed, and organizations must carefully consider all their options. Hard token authentication suffers from poor user adoption, high costs and security vulnerabilities of its own via hacking and phishing. In addition, it can take up to a year to implement and drags down both IT resources and productivity. In sharp contrast, token-free multi-factor authentication eliminates these issues with rapid deployment, no hidden costs and real-time security. This approach uses one IoT device—smartphones—to help secure other IoT devices and services. In this way, authentication has come full circle.

About the Author

David Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multi-factor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions. In Conecto A/S David has worked with strategic and tactic implementation in many large IT-projects. David has also been CTO in companies funded by Teknologisk Innovation and Vækstfonden. Prior to founding Conecto, he has worked as a software developer and project manager, and has headed up his own software consulting company. David has a technical background from the Computer Science Institute of Copenhagen University (DIKU).

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo