Two Factor Authentication: SMS vs. Tokens: Page 2
Are one-time passwords sent via cell phone text messages more secure than traditional hardware tokens?
Is SMS superior?
In answering the question directly on whether SMS-based authentication is superior to security tokens, Philip Lieberman, president of Lieberman Software and chief blogger at IdentityWeek, said, “It’s really a toss-up with no right answer. SMS-based authentication is technically inferior to hard tokens in that the transmission could theoretically be intercepted and used by an intruder. In practice, the SMS method is superior since the organization does not have to worry about token distribution or lost tokens and this is a less expensive and generally a more easily deployed methodology. Most of the cost and complexity of hard tokens revolves around configuration and distribution.”
One could easily argue that the safest bet resides in looking at how the application itself is used, and in comparing the practicality and ease of use of the two solutions. Not only that, but given the case of employee hacking at RSA, the security privileges granted each user should match the level of defense used to protect that user. High profile targets may require additional security mechanisms or even a “new defense doctrine.”
"Neither approach is necessarily superior or inferior," said Andrew Young, VP of Authentication at RSA rival SafeNet. "When you consider your options for authentication methods and form factors, you need to address three key areas: risk, cost, and user experience. SMS-based authentication is one option for strong authentication and, depending on what the activity (use case) is, the level of risk associated with that activity, the cost to deploy, and the experience required by the user… it's one of many choices.
“Rather than choosing one method over the other, it's all about selecting the right solution for the specific information you want to protect. It could be that you want a combination of both, where in some cases you use SMS, and in others, it's tokens. For example, you may use SMS for most employees, but use tokens for your IT administrators who have direct access to your sensitive information. The bottom line is, organizations should make sure they maintain that freedom of choice when planning their authentication approach."
Victor Cruz is a consultant and writer living in Boston whose articles have appeared in American Venture, Cloud Computing Journal, CommPro.biz, CSO Magazine, Communications News, Computer Technology Review, Harvard Review, Medical Design Technology, and WebSecurity Journal. He has advised some 50 IT companies in the past 20 years on their marketing strategies. You can reach him at firstname.lastname@example.org.