Skip to main content

Software Tokens: Less expensive, easier to use.

(0 comments)

So it has been quite a while since my post about the Security of Software Tokens.  In that post, I pointed out that using public key encryption eliminates the problem of securing the seed.  There is no seed.  I also pointed out that if you're concerned about malware, fight malware. 

I wanted to tackle a couple more mis-perceptions about two-factor authentication.  I routinely see posts that state that two-factor authentication needs to be easier to use and less expensive, as this post states:

What’s really missing is a strong successor of passwords. There are many options, like various two factor authentication schemes, but none of them is as easily and cheaply implemented as passwords.

Note the wording here:  "cheaply implemented".  Certainly, for the developer historically it is easier to implement usernames and passwords than say LDAP or Radius, but that's where the savings end.  Maintaining passwords is incredibly expensive.  In addtion, we are increasingly seeing new web-applications implement SAML or OAuth, allowing users to login with their Facebook, Google or Twitter logins.  The benefit of getting new users to sign up outweighs the integration cost. Plus, Google, Twitter et al have made it a lot easier for developers to integrate by providing simple APIs and sample code.  (We use Google's sample code for the Google Apps for your Domain SAML plugin, for example).  WiKID has a very simple API and a number of open-source (LGPL) implementation packages for developers, in addition to Radius and LDAP support.

So, clearly implementing two-factor authentication is getting easier for developers thanks to a number of APIs and packages.  What about ease-of-use for end users?  I think users are incredibly frustrated with passwords.  We focus on ease of use by doing the little  things, like copying the one-time password to the clipboard automatically or opening the default browser to the URL after validating the SSL certificate for the user.  If you don't like our token, you can write another one, just like Hurricane Labs did in Python.  

 

 

 

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom