First published: 15th April 2011
Allan Dyer
The British Computer Society website has recently published an ambitiously titled article by Andrew Kemshall, co-founder of SecurEnvoy. I would like to spend a few paragraphs criticising the article.
Mr. Kemshall's central argument is that security tokens are like cassette tape, an obsolete technology, and about to be replaced by authentication by mobile phone and SMS.
Unfortunately, he says, "Nothing lasts forever and two factor authentication isn’t any different", and lists cassette tape, VHS, DVD and Blu-Ray as a technological progression. This is wrong, in principle and in detail. In detail, cassette tape actually outlasted VHS; because they filled different technological niches. Solid-state MP3 devices replaced audio tapes. More generally, each technology has particular characteristics that determine its suitability for various tasks, and an old technology may remain in use for particular tasks, even while it has been replaced for others.
However, the principle is that audio recording is still around, as it has been since Thomas Edison's experiments in 1878. Two factor authentication is a function that, like audio recording, can be achieved using different technologies and Mr. Kemshall is wrong to equate it to one particular technology for one factor: dedicated physical tokens.
Mr. Kemshall advocates SMS as a replacement for physical tokens. This can be described as a variant of authentication by tokens - the "something you have" is your mobile phone instead of the dedicated physical token. Perhaps his article should have been titled, "No more Dedicated Tokens"?
A former issue with SMS authentication was that the network might be temporarily suspended or the user may be in a signal dead spot, such as the basement of a building or computer room, preventing the reception of a code when needed. Mr. Kemshall tells us that pre-loaded codes solve this, "As soon as a user enters their authentication code, the system automatically forwards a new SMS message, overwriting the code in an existing message ready for the next session." This implies that a person who steals the phone will always have a valid access code for one session, no matter how fast the user reports the loss. Not much different to a dedicated token, but the code could also be accessed by a "friend" who borrows the phone "for a minute". A phone may be a personal device, but they are shared and shown-off socially. "You've got Angry Birds on there? Can I see?"
Most of the other points raised in favour of SMS cite the cost and inconvenience of tokens - deploying 1000 tokens could take six months, for example. Why this timescale is required is not spelt out, but I suspect it has something to do with carefully ensuring that the correct person gets the token. Setting up an SMS solution can be done in a day, simply use the existing employee database with mobile numbers automatically identified. This assumes that the employee database is accurate and up-to-date, so it would be a good idea to add the time and cost of really verifying that before using it.
People loose tokens, and they loose phones, but, Mr. Kemshall reports, "a third of the population would notice they’d lost their mobile phone within 15 minutes and 60 per cent would within the hour", the fact a token is missing may not be noticed until the next time it is needed. Fast reporting of loss is good, but how many people, when they loose their phone, would remember to call up the helpdesk to get the SMS authentication disabled? Most would be more concerned with the address book, photo album and value of the device. Also, phones are easy to resell, so they are a more attractive target for theft.
An issue not addressed is the security of the phone network. The access code is being sent by store-and-forward, via a public, third party communications network. What analysis has been done on the vulnerabilities this introduces?
The assumption of "something you have" authentication is that possession proves identity. SMS authentication is a variant of "something you have" authentication, assuming that possession of a phone proves identity, with certain advantages: cheapness, ease of deployment; and disadvantages: weak binding of the phone to the user, unexplored risks in the public network. The rise of SMS authentication does not presage the end for two-factor authentication. It does not even hammer the final nail into the physical tokens’ coffin. It does offer one more tool for your toolbox. Carefully evaluate the needs of the job when choosing your tools.