Security token and smart card authentication

Smart cards help to eliminate the threat of hackers stealing stored or transmitted information from a computer. The information is processed on the smart card, so it never has to leave the card or be transmitted to another machine.

On the downside, only a limited amount of information can be stored on a smart card's small microchip. For that reason, smart card encryption options are limited. Smaller or shorter encryption keys may be necessary, which heightens the chance of data compromise.

One-time password (OTP) tokens, also know as key fobs, are another form of authentication that require two factors: something you know and something you have. These tokens are programmed to generate and display new passwords at certain intervals. In order to access a system, a user must enter in his or her user ID and password, which is the first factor of authentication, (something you know) and then provide the PIN displayed on the token, which is the something-you-have authentication factor.

The PIN provided from the token is constantly changing -- approximately every 30-60 seconds depending on how it's programmed -- and that makes it extremely difficult for a hacker to use that PIN to gain malicious access. Even if the attacker successfully steals the PIN, by the time he or she enters it into the system it will have already changed. ...

While two-factor and multifactor authentication systems are better then single-factor authentication methods, they are not tamper-proof. One way an attacker can bust through two forms of authentication -- say, a user ID and password coupled with an OTP -- is by unleashing a man-in-the-middle attack (MITM). In a MITM attack, a hacker intercepts messages between the server and the authentication system. The hacker steals the credentials and then uses them to reset the user ID and password and obtain a new OTP. Now the attacker has full reign over the account using his own password and OTP.

Security token implementation
So how does an enterprise decide if security tokens are the right choice? The decision should ultimately be based on how well the technology will cooperate with its existing authentication system. User acceptance and maintenance are also important factors. The technology won't be popular if it is confusing and difficult to use, and if administrators have to invest lots of time into keeping it maintained.

When implementing a token system, encryption is essential to avoid attacks and ensure maximum protection. Be sure that the user ID, password and OTP PIN are encrypted. When it comes to OTPs, physical theft can be a more significant issue. If an attacker is able to physically steal your OTP, you are pretty much out of luck, so physical security and proper distributions are also essential elements to secure authentication.

Employee awareness training should be administered to educate employees on proper use of their tokens. It should be made clear that tokens should never be left at an employee's desk unattended.

Records should be kept of employees who received a token, and a verification process should be implemented to ensure that each specific token is being given to the proper employee.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Two-Factor and Multifactor Authentication Strategies,   Enterprise Identity and Access Management,   User Authentication Services,   Security Token and Smart Card Technology,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Embedded smart card chips are open to hack attacks What should an enterprise look for in a password token and a vendor? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) Kerberos  (SearchSecurity.com) password hardening  (SearchSecurity.com) typeprint analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.