Two-factor authentication alternatives

Worried by the breach at RSA? Here are some two-factor authentication alternatives to consider.

RSA’s unfortunate announcement two weeks ago, in which it explained that its SecurID two-factor authentication (2FA) product had been compromised, has led millions of users to worry that perhaps they need a rival solution.

If you’re thinking what they’re worrying, what are your alternatives?

CA Technologies has kindly, or cynically (depending on your world-view), made an offer to replace your SecurID software and tokens at a reduced price.

CA will “provide a three-year enterprise license for the CA ArcotID software credential, including the CA Arcot WebFort authentication server,” for anyone with an RSA token, and will only charge maintenance fees if you sign up before Sept. 30th, 2011.

Mi-Token has also created a “RSA Lifeboat”. The company has an Australian presence in Sydney and a handful of local resellers.

There are plenty of other 2FA vendors out there, and even if they aren’t making an offer as generous as CA’s or Mi-Token’s, the likes of Actividentity, Authenex, and Thales (with its SafeSign product) are out there waiting for your business.

Another 2FA alternative is SMS-driven 2FA, an approach that replaces tokens with mobile phones. One-time passwords are sent as SMS, in response to an inbound SMS containing a special code. Seeing as everyone has a mobile these days, this approach has its fans as we explore in this story on SMS two-factor authentication for electronic identity verification.

SMS 2FA is not radically different to Soft Tokens, software that replace all the functions of a hard token. You run Soft Tokens on a mobile device and they offer all the mechanisms built into a physical token. If you like the idea of Soft Tokens, you may also want to check out OATH – the Initiative for Open Authentication. Soft tokens that work with this open effort to create strong crypto are already available for smartphones, including the iPhone.

Of course you may worry that putting something as important as an authentication token on a phone that could be left in a cab (or picked up by a child who wants to play Angry Birds) is a bad idea. You may even feel like the RSA incident means you’d like to get out of two-factor authentication entirely. Even though 2FA is touted as the best way to secure your users, leaving the technology behind is not an entirely silly idea. That’s because 2FA is not always super-secure, as we noted a few years back in this piece on the insecurity of two factor authentication.

Read more on Security policy and user awareness