Skip to main content
Industry Perspectives

Renaissance of the OTP hardware token

  • by David Strom

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with  one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have withstood the test of time, and lately, are undergoing a renaissance with a newfound interest among security managers. In this month’s blog, I look at this evolution, why the hardware token remains relevant, and some of the current trends in multi-factor authentication (MFA).

Today’s hardware tokens are more sophisticated than the original fob displaying a series of OTP random digits. This was partly a necessity, since their use was somewhat cumbersome for both end users and security managers alike. I mentioned this drawback in one of my reviews of MFA tools for Network World in 2013, when I said that “toting around tokens means that they can be taken, and in a large enterprise, hardware tokens are a pain to manage, provision and track.” Still, this review in 2012 mentioned this attraction for using hardware tokens: “They don’t require app developers to rewrite their apps from scratch, and the hardware token provides us with the level of security assurance we want and need. We’ve been carrying tokens around for 25 years; I wonder if they’ll make 50?” I think we can safely say that tokens will have this longevity.

In 2016, several vendors released “smarter” hardware tokens that came with encryption keys or encryption engines embedded. This made them easier to use, because push authentication methods eliminated a few steps. More recently, there have been other vendors who have released hardware tokens that support the Fast Identity Online (FIDO) protocols, so a single token can work with a variety of authentication servers. In the past, each fob was married to a particular server, which meant users had to cart around a collection of tokens if they needed to login into multiple servers and cloud-based services.

As the tokens became more capable, the demand for better MFA security increased. Remote workers were on the rise, and earlier this year, travel restrictions and flight cancellations related to coronavirus made remote work more necessary and acceptable. That in turn drove increased demand for better authentication methods such as hardware and smartphone-based tokens.

At the same time, this increased demand hasn’t escaped the criminal world. Malicious actors began focusing on ways to exploit MFA’s weak points, particularly SMS-based MFA methods. The FBI issued warnings last fall documenting various techniques to bypass MFA methods, including swapping out cellphone SIM cards, using specialty-designed malware to automate MFA phishing schemes and employing social engineering methods to fool users into providing the OTP digits in real time. In some cases, this resulted from poor deployment. At the RSA Conference last month, researchers documented new methods to get around the MFA smartphone apps by using outdated mobile operating systems, attacks called Android screen overlays, that fool users into entering the OTP codes or other compromises to the kernel mobile phone OS itself.

Where do we go from here with deploying MFA? Here are a few thoughts:

  • First, you need to take a step back and craft a solid identity access management strategy for your entire enterprise. You should examine whether every user needs a hardware token and for all their access methods. Instead, focus on the relative risks. For example, tokens are a good idea for those users who handle cash transactions, but perhaps not if their jobs are on the factory floor.
  • Second, think about how you handle your partners and customers’ transactions, and how to beef up their logins. Getting hardware tokens registered, and eventually revoked, for anyone who isn’t a full-time employee is still painful. Also, consider whether you should mix and match hardware and smartphone MFA apps, especially when the application circumstances and risk profiles dictate it.Finally, consider how to authenticate cloud apps. Some cloud platforms support standards that make integrating smartphone MFA apps easier, so that may be a better solution. At the end of the day, having more MFA is usually better than no MFA, but it should be deployed intelligently and carefully.

This post was sponsored by RSA®, but the opinions are my own and do not necessarily represent RSA’s positions or strategies.