Two-factor authentication using "something you know" (e.g., a password) and "something you have" (e.g., a hardware token) has been around for many years. "Something you are" has been added to the mix with biometrics, which is not yet widely deployed, especially compared to tokens.  While biometrics definitely has a cool factor that "something you have" cannot compete with, there are some very interesting developments in what the "something you have" could be, by focusing on using something you ALREADY have, instead of having to provide users with a hardware token.

The tried-and-true hardware token has a few drawbacks, such as the need to deploy and periodically replace it and the minor inconvenience of having to carry it around with you.  But the biggest drawback, as is so often the case, is the human factor.  Many have faced that horrible moment on the way to the airport when they realize that they forgot their token.  (Not you, of course, but those other people).  That leads to a host of problems ranging from how you are going to get access to the data you need to how badly you offended the people who just heard you blurt out the offensive words that typically follow the discovery of a missing token.

Enter tokenless two-factor authentication. Tokens provide a one-time password (OTP), but there are other ways to get an OTP.  RSA, the market leader in OTP, is best known for their SecurID tokens.  Yet they also provide software tokens that are generated by an application running locally, and on-demand tokens, sent to your cell phone or via email.

RSA, while dominant, is far from alone in the tokenless OTP market. You can get similar products from companies like PhoneFactor, Arcot, Vasco, SecurEnvoy, PortWise, and FireID.  These will all get the job done adequately but they are being challenged by some new innovations.

And Now, the Cool Stuff

There are a couple of companies that have unique, intriguing, browser-based products that provide a slick user experience and added layers of security.  They both tie into increasingly popular SSL VPN solutions, which are graduallly replacing many IPSec implementatons, as well as other web-based applications. 

UK-based Swivel's PINsafe and US-based Syferlock's gridOne are solutions that use an alpha-numeric image on a web page, from which the user selects digits of the OTP to be entered. They know which digits to select based on something they already know (a PIN or password) that is neither shown on screen nor entered by the user.  Even if someone can see the screen, they cannot determine the OTP without knowing the user's PIN.  Clear as mud, right?  Well, a picture is worth a thousand words, so take a look at http://www.swivelsecure.com/?page=turing and http://www.syferlock.com/Approach.htm.  These solutions offer better protection against man-in-the-middle attacks, key logging, shoulder-surfing, and other attacks than their more conventional counterparts.

Both solutions allow quite a bit of customization.  The image presented to the end users can include numbers, letters, or both in a variety of configurations.  They both provide browser-only authentication, but allow for the requirement of a cell phone, and/or email channel.

Cool Awards

PINsafe has received the CESG Claims Tested Mark Award. 

Syferlock has received Frost & Sullivan's 2010 North American New Product Innovation of the Year Award for Password Security and Authentication Solutions, is one of ChannelWeb's 20 Top Coolest Cloud Security Vendors (see, I told you this stuff is cool!), was one of NetworkWorld's Hottest Security Products from the 2009 RSA Conference, and has earned FIPS 140-2 Cryptographic Algorithm validation.

Your Turn

If you've heard of any other innovative tokenless two-factor authentication products or have experience with any of those mentioned, we'd be very interested to hear your comments on them.