About Key Fob Tokens
There are two types of token systems: time-synchronous (such as RSA's SecurID key fobs) and incremental (such as SecureComputing's Safeword). Time-synchronous are just that - the token and the server are synchronized. Incremental tokens use a counter. The counter on the token should match the counter on the server.
Hardware Key Fobs are too expensive
The primary issue with key fob tokens, in particular with RSA SecurID, is expense. Typically, tokens cost between $25 and $100 per user and last for only two to three years. Tokens are frequently lost and new ones must be purchased and kept on hand. WiKID Strong Authentication is significantly less expensive than key fob tokens
How much security are you really getting with SecurID?
The need to re-synchronize creates a weakness. For example, with most time-synchronous tokens, there are three valid passcodes just in case the token's clock has drifted or if the users need more than 60 seconds to login. If the passcode is 6 digits, the chance of guessing the passcode drops from 1 in 1,000,000 to 1 in 333,333 - less than acceptable for ANSI 9.9. With WiKID Systems, the administrator can set the time-out for as long or as short as required for a user to login, meaning that one passcode can last for 180 seconds maintaining the 1 in 1,000,000 requirement.
Deploying key fob authentication tokens is a logistical nightmare
Initial Validation is problematic with hardware-based tokens as well. While some vendors offer an 'express' solution -for additional cost- that allow an end-user to request a new token over a web site, the administrator still has to manually enable the account and ship out the token. WiKID Strong Authentication's unique patent-pending initial validation method allows complete automation and employee self-service. Lost tokens need to be redeployed as well, further increasing the hassle and expense.
Compare to WiKID
WiKID uses asymmetric encryption instead of shared secrets. Keys are generate on your server and your tokens and we do not have a copy. An attack against WiKID will not require new tokens for you.
WiKID's native AD 2FA protocol allows you to use one-time passcodes for Windows local and domain administrators (a possible requirement for PCI-DSS 3.2) making pass-the-hash attacks and privilege escalation much, much harder if not impossible.
Need a password-reset solution? WiKID's native AD 2FA can be used for that too, eliminating expensive help-desk calls.