Previously, we explained the concept of Advanced Authentication (AA). In case you missed that explanation, you can read about it here. As a quick summary, AA is a more rigorous method of authenticating the identity of a user who is trying to gain access to sensitive data or systems.
To gain access, most AA systems require a password (“something the user knows”) and a second factor based on something the user “has” on his/her person. The way that most AA systems verify that the user is in possession of a Second Factor Device (SFD) is by requesting a number or pass code that would appear only on that user’s SFD. This pass code is often called a One-Time-PIN (OTP) since the code is not static like a user’s password is. Rather, OTPs cycle frequently throughout the day.
In order for a user to successfully log into an AA system that utilizes OTPs, the following sequence of events would occur:
1. The user logs into the system with a user name and password
2. AA system verifies that the password matches
3. AA system sends the user a request for the OTP on his SFD
4. User types in the current OTP before the device cycles to a new OTP
5. AA system verifies OTP matches with the SFD that was registered to that user
6. User is granted access to the system
This week’s blog is the first of a two part series on the pros and cons of the different second factors that are available to law enforcement agencies. We will rate each second factor method based on its affordability, security level and how easy it is to administer.
Paper Tokens for Advanced Authentication
How They Work: These are printable, bingo-like cards that have many sets of numbers printed on them in a spreadsheet format. The AA system would send the user a set of coordinates (e.g. “Go to B4”), and the user would identify the correct number combination from those coordinates.
Cost = Low: You don’t have to purchase any extra devices. You just simply use your office’s printer.
Security = Low: All of the SFDs discussed in this newsletter can get stolen and used by someone else, so we will focus on the aspects of each SFD that make it more or less secure than the other. Paper tokens are the least secure because there are no other security measures involved. In addition, someone could temporarily take a paper token, copy it, then return the original, and the user wouldn’t know that it was originally stolen.
Ease of Administration – Simple: This is the easiest method to administer… just print out cards for each user. If a card gets lost, just print another one, and the old card’s numbers are disabled. With eAgent’s X2 solution, users can print out their cards themselves instead of requiring an administrator.
Hard Tokens for Advanced Authentication
How They Work: This battery-operated SFD is about the size of a small USB thumb drive and can attach to a key ring. When the user presses the button on the hard token, it will display a random OTP for a specified amount of time and then cycle to a new one. It generates the OTP based on a clock algorithm (not by any sort of wireless signal).
Cost = Moderate to High: Of the 4 methods, this has the highest cost. Each hard token can range in price from $15 to over $200.
Security = Average: The security with a hard token is slightly better than a paper token because it takes out the possibility of someone copying the SFD.
Ease of Administration = More Difficult: Of the 4 methods discussed in this newsletter, this is the most difficult to administer since an admin would need to register each device to a user and physically hand the device to him/her. If the device gets lost, then the admin would need to register a new one.
SMS Text for Advanced Authentication
How They Work: With these next two methods, the user’s mobile device is used. In this case, the OTP is sent as a text message to the user.
Cost = Somewhat Low: Assuming that the user already owns a mobile phone or has one registered to him/her through the agency, the cost associated with this method is only the cost to receive text messages.
Security = Average: Security is comparable to that of a hard token.
Ease of Administration = Simple: The administration of this method is slightly more involved than paper tokens. The user just needs to enter in his/her cell phone number into the AA system. From the user’s perspective of using this method in the field, it does require that you have wireless service to receive the message.
Soft Tokens (Mobile Apps) for Advanced Authentication
How They Work: This is a downloadable application to a smart phone or tablet device that basically turns your phone into a hard token. The OTP is generated by a clock-based algorithm and does not require a wireless signal.
Cost = Low: Again, assuming that the user already owns a smart phone or has one registered to him/her through the agency, the cost is negligible (and you don’t even have to pay for text messages). Note that this method requires a more expensive smart phone that can run apps as compared to the text messaging method above (which does not require as sophisticated a device).
Security – Good: Smart phones can be configured so that the user needs to enter in a separate PIN to unlock the device. So if your phone gets stolen, the thief would need to know your unlocking PIN to get access to the AA app. Note that this security feature doesn’t apply to the SMS Text method since text messages are usually seen on a phone without having to unlock the phone.
Ease of Administration – Simple: In order to register their devices, users need to enter in a serialized number that is given by the AA system. Some systems also create a QR code upon registration, and the user would need to scan that QR code to set up their device.
That covers all of the One-Time-PIN options for Advanced Authentication. Next week, we will compare and contrast other methods that are not based on OTPs.
Until then, stay safe, stay tuned and stay advanced.
If your agency is looking at Advanced Authentication options for your officers, please take a look at what eAgent has to offer before making a final decision. You can give us a call at 850-656-3338 or sign up for a free online demo here.
Do you find the content in this blog valuable? Then subscribe to our weekly newsletter here.