Problem solve Get help with specific problems with your technologies, process and projects.

The insecurity of two-factor authentication

Security hazards associated with smartcards and tokens are keeping them from widespread deployment.

Deployment of two-factor authentication tools such as smartcards and USB tokens appears to be increasing. More organizations are adding a layer of security to the desktop that requires users to physically possess a token and have knowledge of a PIN or password in order to access company data. However, there are still some drawbacks to two-factor authentication that are keeping the technology from widespread deployment that are worth considering.

Differences between the smartcard and USB token are diminishing. Both technologies include a microcontroller, an operating system, a security application and a secured storage area. There are some distinguishing differences, however.

Smartcards, such as those offered by RSA and ActivCard, are about the same size as a credit card. Some vendors, such as HID and RSA, are offering or developing smartcards that perform both the function of a proximity card and network authentication. You can authenticate into the building via proximity detection and then insert the card into your PC to produce your network logon credentials. The downside is that the smartcard is a bigger device, the card reader is an extra expense, the card is more likely to break due to its size, and it has less storage capacity than a USB token.


On the other hand, the USB token has a much smaller form factor and can easily be attached to a keyring. Thus, it is easier to carry. The USB reader is standard equipment on today's PCs, and the token tends to have a much larger storage capacity for logon credentials than smartcards. RSA, Aladdin, ActivCard, Authenex and Rainbow are a few of the vendors offering USB tokens.

In both cases vendors are beginning to add biometric readers on the devices, thereby providing three-factor authentication. Users biometrically authenticate via their fingerprint to the smartcard or token and then enter a PIN or password in order to open the credential vault.

So if smartcards or USB tokens provide all this security, why isn't every company in the country deploying them? It would seem to be a logical line of defense against intrusions and information loss. Well, the first challenge corporations face is the difficulty of deploying the client PC software required to make these systems work. Most vendors have created separate installation packages for network login, Web access credentials and VPN connection credentials. In other words, you may have four or five different software packages to push down to the client PC in order to make use of the token or smartcard. This translates to four or five packages on which you also have to perform version control and ensure don't conflict with your business applications.

The next concern is the security of the two-factor authentication tools and their systems. Several products I tested for SearchSecurity's sister publication Information Security magazine showed passwords stored in plain text for either the token/smartcard software or its associated management server. In either case this completely negates one factor of the authentication since an intruder could easily find the password/PIN used to authenticate to the device.

According to some vendors, an intruder has to possess the token or smartcard for this type of attack to work. That's not really true though. You can simply boot up the PC in safe mode to completely bypass the token/smartcard authentication altogether. Remember that the token/smartcard is a storage device, but it is not the only storage device for logon credentials. There is nothing to stop a user (or intruder) from manually providing logon credentials that are also stored on a token/smartcard. As an intruder, all I have to do is boot in safe mode with network support and scan the hard drive with utilities such as the freeware Protected Storage Passview (Nirsoft) to show all passwords stored in Internet Explorer. Additionally, you could use a disk editor such as the shareware Winhex ( to scan for text strings such as "password=". Both of these approaches produced great results during product testing, allowing me to bypass the token/smartcard.

Vendors typically respond to this weakness by pointing out that their products tie in closely with encryption or PKI, and this provides a full measure of security. To which my response is, which one of these products is really providing the security? It seems to me that the encryption and/or PKI infrastructure is the true security product. This leaves me wondering what true level of security the token or smartcard provides.

Until the vendors fix the issue of passwords being stored in plain text and provide a method for controlling safe mode boot up, I don't believe tokens or smartcards provide any security at all. Consider the cost of implementation – around $100 for the smartcard or token and the associated software, plus an additional $25 for each smartcard reader – and the technology lacks a strong value proposition. For now, two-factor authentication remains an expensive option for storing user credentials, albeit insecurely.

Note from the author
Since this column was originally published, I have received questions regarding the viability of one time password (OTP) tokens. OTPs do not change the vulnerabilities found in the token software or the tokens themselves. Their use, however, does limit the risk of those vulnerabilities. The supporting software still allows that OTP to show in plain text as well as the user name. It is possible -- though not as probable -- that this system could be subverted. In addition, the OTP system does nothing for the Safe Boot workaround. I can boot the machine into Safe Mode on a Wintel platform and get onto the hard drive without having to use the token/OTP system. The OTP system is used in the EU but most other parts of the globe have yet to adopt it.

About the author
Tom Bowers has worked with computers since the early 80s. He is currently the Manager of Information Security Operations for Wyeth Pharmaceuticals, where he leads a team conducting pen testing globally. He also owns Net4NZIX, a small consulting firm specializing in pen testing and computer forensics. Tom holds the CISSP, PMP and Certified Ethical Hacker certifications. He can be reached at

This was last published in July 2004

Dig Deeper on Two-factor and multifactor authentication strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.