Products and Solutions

Managing Hardware Authentication Tokens in the Cloud

Nov 01, 2021 | by Ingo Schubert |
Hand holding a SecurID Token

Roughly 13,000 organizations use SecurID to verify that their 30 million users are who they claim to be. SecurID software authenticators work however and whenever our customers do, providing the simplicity, security and convenience every business needs to address its unique identity challenges.

But being the trusted identity platform means ensuring that we’re able to support every use case, and as easy as SecurID soft tokens are to use and manage, sometimes hard tokens are still the best way to go.

There are several reasons why an organization may opt to use hard tokens:

  • Hard tokens provide much higher protection for the cryptographic material (the seed) and reduce the chance of any malware accessing the token
  • Soft tokens are typically deployed on smartphones—and while that’s handy for most use cases, in some instances, bringing a smartphone into a highly controlled or sensitive environment could be a non-starter
  • Employees may not want or be allowed to install business-related software on their private smartphones

But hardware doesn’t need to be hard to distribute, hard to handle, hard to manage or hard to replace: SecurID hard tokens can be assigned, enabled, disabled and configured from the cloud.

Users can even reset their PIN via the SecurID Access Cloud Authentication Service MyPage. That functionality alone can add up to big savings: at larger businesses, nearly 50 percent of IT help desk costs are allocated to password resets.  

The two methods for managing hard token distribution and assignment

I’ve been helping SecurID customers configure their IAM processes for nearly 20 years, and by now it’s clear to me that every business has its own identity needs. During a recent webinar, I shared some of the factors that businesses should consider when deciding between hard and soft tokens. It’s an important question—and one that businesses spend a lot of their time weighing.

Another question that’s equally important but that tends to be overlooked is: ‘How should we assign authenticators to users?’

It’s something that I wish businesses spent a bit more time on earlier in the process—because it’s another opportunity for businesses to develop IAM processes that meet their needs.

Businesses can choose between two methods for managing this step:

1. Assign, then distribute

This is a good method for businesses that already have a secure delivery mechanism.

In this scenario, an admin assigns a specific token to a specific user, then ships that token to the user (ideally with some tamper-evident packaging). The costs can be a bit higher because in this case, admins can’t ship the tokens in bulk.

But the higher cost might also buy greater security: admins can ship disabled tokens to users, then activate them once the user confirms receipt. The user receives exactly the token that belongs to them.

2. Distribute, then assign

This method works best if your security team has a way of authenticating users securely during the assignment process. It’s also cost-effective: just have a bunch of unassigned tokens available for every user to pick up. Even just mailing them is easier: somebody just has to mail one token (any available token) to each recipient. No need to worry about which token gets sent to which user.

Alternatively, users could go out and purchase their own tokens—including FIDO2 tokens.

The trickier part comes in binding the token to a specific identity, which needs to occur securely. Moreover, any trust that the business places in the token can’t be significantly higher than the initial trust the user creates during registration—that’s particularly true for FIDO tokens, as they can be sourced from anywhere. Whatever amount of ‘registration trust’ that’s used to authenticate a token becomes that token’s limiting factor over the course of its lifetime.

Which method is better?

The short answer is that both methods can work—and that there is no ‘best’ model for distributing hardware tokens.

The longer answer is that—just like IAM broadly—distribution and authentication should meet your business needs. Organizations need solutions that are practical enough and secure enough to balance users’ behaviors and address the likeliest, most frequent and most impactful security concerns.  

An argument could be made that ‘Assign, then distribute’ is the more secure of the two methods. In a perfect world, using a serial number to match up a token with a specific user could be a useful way in reducing variables and controlling authentication from the start.

But ‘Assign, then distribute’ doesn’t have to be the more secure of the two. ‘Distribute, then assign’ might be secure and practical enough to meet your team’s needs.

And remember, regardless of the method, any amount of security is useless if it’s not practical. That’s one of the reasons why asking employees to remember and manage up 100 passwords on average can create significant vulnerabilities for organizations.

Another factor is that many of us are trying to adapt to COVID-19, which has changed everything from how we work to how we vote. Today, asking your team to crowd into an office and pick up a token may not be ideal, safe or practical.

Manage your authentication hardware from the cloud

The good news for SecurID customers is that, whether you opt for ‘Assign, then distribute’ or ‘Distribute, then assign,’ the SecurID hardware token: SecurID Access can handle both.

In fact, our hardware tokens were designed to deliver as much software-like flexibility as possible:

  • SecurID Access Cloud Authentication customers can register and manage SecurID 700 tokens from anywhere
  • Adding new tokens is straightforward: all admins need to do is upload an XML seed file and provide the corresponding password
  • Disabling tokens is just as simple: admins can either batch-delete all expired tokens or provide the serial numbers of specific tokens to be deleted
  • Once registered, admins can set user PIN and lockout policies according to their organization’s needs. Admins can also elect to enable or disable email notifications regarding lockouts or PIN resets
  • Need to find out how many tokens you’re managing or who owns them? That’s easy too: just create a report on all your imported tokens. The report also provides visibility into the token serial number, its type, expiration date, status, assigned user, and more
  • Security teams can also adjust assurance levels as needed—one pro tip is to use risk-based authentication to reduce the need for step-up to increase convenience without sacrificing security.

Your organization can use these tokens with web applications, RADIUS, SecurID multi-factor authentication (MFA) agents (including Windows 10 and MacOS).

In fact,  SecurID hardware tokens are just one type of hardware token that you can manage from the cloud: any FIDO U2F or FIDO2-compatible token can be managed via the SecurID Access Cloud Authentication Service.

Whatever your organization chooses, make sure that your IAM solution can adapt to whatever your needs are—and not the other way around.

###

Want to take the ‘hard’ out of hardware? Contact us to see easy hardware tokens can be.