Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Spotlight on 2FA in 2015: Rising popularity of software tokens

Chai Chin Loon, Chief Operating Officer of Assurity | Jan. 21, 2015
As organisations prepare to bolster their cyber defence postures for 2015, they should consider including two-factor authentication to protect their data.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Two-Factor Authentication (2FA) has been mandated in Singapore for online banking transactions since December 2006.  All securities trading firms here have also introduced a form of 2FA to secure their investors' online share trades since December 2011.  According to the Securities Association of Singapore, about 50 percent of retail investors execute their trades online.  Amid the riskier cyber landscape today, large non-financial corporations are following suit by bolstering their cyber defence postures with 2FA for both internal and external customers.  SMEs, with smaller cyber defence budgets, are also under increasing pressure to secure their internal and external customers' access to sensitive data with more than just passwords.  Fortunately they have a wider spectrum of 2FA options to choose from today than a decade ago. 

2FA methods - an overview
Consumers who transact online are most familiar with SMS One-Time Password (OTP).  After keying in their username and password, an OTP is sent to their mobile phone to authenticate their transaction.  They have to key in the OTP in order to access the history of their online banking statement, for example, or to execute an online trade.  SMS OTP is meant for low-to medium-risk online transactions.  Consumers prefer it to the hard security token for its convenience and ease of use.  However, there could be message delays depending on the mobile operator's roaming service.  Additionally, there are security concerns relating to trojans that steal banking-related SMSes in the wild, making infected mobile phones unsafe to receive SMS OTPs.

Those carrying out online banking would also be equipped with a hard token that usually comes in the form of a keypad or a smart card.  A hard token typically combines three functions, namely, OTP, Challenge and Response and Transaction Signing.  Transaction Signing is required for sensitive transactions such as funds transfer and adding a new payee online.  Some service providers also require Transaction Signing for updating of personal particulars online, such as changing one's address.  While hard tokens with Transaction Signing function are considered more secure than SMS OTP as they require an additional step of "dynamic interaction" with the token, SMS OTP offers the convenience of receiving "2FA on the go", without the additional "burden" of carrying a hard token. 

A third option that is rapidly gaining popularity in tandem with the growth in smartphone use are software tokens.  According to a Google study conducted by TNS, Singapore has the world's largest smartphone market per capita (at 85%).  Software tokens combine the benefits of both SMS OTP and hard tokens, namely, convenience and security.  Software tokens depend on the smartphone to calculate the OTP from the "seed record" along with the smartphone's clock and the algorithm contained in software installed on the device, usually in the form of an app.  Internet connection is only required for app download, activation or updating.


1  2  Next Page 

Sign up for Computerworld eNewsletters.