Two factor authentication methods are based on a variety of technologies, most prominently one time passwords (OTPs) and Public key infrastructure (PKI). What is the difference, and which should you use for your organization?
One time passwords (OTPs) are a form of ‘symmetric’ authentication, where a one-time password is simultaneously generated in two places—on the authentication server and on the hardware token or software token in the user’s possession. If the OTP generated by your token matches the OTP generated by the authentication server, then authentication is successful and you’re granted access.
PKI authentication is a form of ‘asymmetric’ authentication as it relies on a pair of dissimilar encryption keys—namely, a private encryption key and a public encryption key. Hardware PKI certificate-based tokens, such as smart cards and USB tokens are designed to store your secret private encryption key securely. When authenticating to your enterprise network server, for example, the server issues a numeric ‘challenge.’ That challenge is signed using your private encryption key. If there’s a mathematical correlation, or ‘match,’ between the signed challenge and your public encryption key (known to your network server), then authentication is successful and you’re granted access to the network. (This is an oversimplification. For more details, watch The Science of Secrecy videos by Simon Singh.)
When it comes to authentication, one size does not fit all. Below are several considerations to keep in mind when choosing the method or methods best suited for your organization:
While OTP authentication, for example with OTP apps, may provide sufficient protection for most enterprise use cases, verticals that require higher levels of assurance, such as e-government and e-health, may be mandated to use PKI security by law.
Industry Standards and Mandates
In PKI authentication, a private encryption key is used, which is non-transferrable when stored in a hardware token. Given its asymmetric nature, PKI is used in many parts of the world for higher assurance use cases. However, the security of OTP is also being increasingly recognized by many sectors, for example, healthcare in the US, and satisfies the DEA’s EPCS requirements when a FIPS-compliant OTP app is used.
Depending on regulations relevant to your industry, the hardware or software token you deploy may need to comply with FIPS 140-2 in North America or Common Criteria in other regions of the world.
Where a combination of physical and logical access is required, hardware tokens that support RFID-based physical access control may be preferred. Learn more, visit our Physical and Logical Access Control solutions page.
Regardless of the two-factor authentication technology being used, security can be elevated when assessing additional contextual attributes of a login attempt, such as various device and behavior-based variables. Learn more, visit our Context-based Authentication page.
Mitigating Diverse threat vectors
Different authentication technologies are effective in countering different threats. For a survey of authentication methods and the threats they counter, download the Survey of Authentication Technologies White Paper
Deployment and Administration Costs
OTP authentication has traditionally been more affordable, as well as easier and quicker to deploy, as it does not require setting up a PKI infrastructure that involves purchasing PKI digital certificates from a Certificate Authority for each user. Unlike OTP authentication that utilizes OTP apps can be installed on users’ mobile devices and desktops, PKI authentication requires a hardware token to be procured for each user to keep their private encryption key safe. For this reason, OTP authentication usually involves lower deployment costs and less time and effort on the part of IT staff.
When a software token is used, whether PKI-or OTP based, token replacement can be performed over-the-air, eliminating the costs associated with mailing a replacement hardware token.
Retaining Current Token Investments
Organizations that have already deployed a two-factor authentication solutions, whether PKI or OTP-based may seeks ways to retain their current investment.
Where PKI tokens are already deployed, organizations can expand or evolve their deployments to accommodate mobility. To this end, advances in mobile technology such as Bluetooth Smart PKI readers, may enable an organzation to retain its current token investment and leverage its current PKI infrastructure.
Where OTP tokens are already deployed, organizations can retain their current investment by seeking solutions that support third party tokens and third party RADIUS servers, or seek solutions that can import their current standards-based tokens into a new solution (e.g. OATH-based tokens)
Organizations that offer greater workforce mobility, or extend strong authentication to partners and consultants, may seek increasingly transparent authentication methods. Software and mobile-based tokens, as well as tokenless solutions, provide a more convenient authentication journey that facilitates the implementation of secure mobility initiatives.
SafeNet OTP Authenticators: Thales offers the broadest range of hardware, software and mobile-based OTP authenticators, enabling organizations to meet diverse assurance levels when securing any enterprise solution, be it on-premises, cloud-based, remote or virtual.
Thales SafeNet OOB Authenticators: Offering out-of-band authentication via push notifications, SMS or email, Thales’ out-of-band authenticators utilize a communication channel other than the one being accessed to deliver a one-time passcode, elevating both security and user convenience.
Physical and Logical Access Control: By combining physical access controls with logical access, organizations can secure physical access to offices and secure industrial and manufacturing sites while protecting access to sensitive networks and applications.
PKI Authenticators: Thales' suite of SafeNet certificate-based PKI tokens enable secure access to a broad range of resources, as well as other advanced security applications, including digital signature, email encryption and two-factor authentication.
Two-factor authentication (2FAs) ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
Just as you wouldn’t want your bank to allow access to your checking account with a simple password, you want to make sure your resources are protected by asking employees to provide an additional factor of authentication. This ensures the employees’ identity and protects their login credentials from easily being hacked or stolen. You do not want to allow access to your valuable assets (be it VPN, Citrix, Outlook Web Access or cloud applications) with only one factor - often a weak password.
Two-Factor Authentication enables to strengthen the protection of vital resources by drastically reducing the chances of various security attacks including identity theft, phishing, online fraud and more.
There are multiple authentication methods that can be used to validate a person’s identity. SafeNet offers the broadest range of authentication methods and form factors, allowing customers to address numerous use cases, assurance levels, and threat vectors.
Context based authentication uses contextual information to ascertain whether a user’s identity is authentic or not. It is recommended as a complement to other strong authentication technologies.
SafeNet’s Next-Generation Authentication Solutions offer IT administrators a multilayer approach to access control. Employees can easily and securely access enterprise and SaaS applications, as long as they meet pre-defined policy rules set in advance by the administrator. If a user does not comply with the access rules in place, they might be requested to provide an additional authentication factor before they are granted access. This could be an SMS or a one-time passcode generated by a phone token, or a hardware token, depending on organizational policies. Click here to see our Context Based Authentication Infographic.
As the switch to the cloud blurs the boundaries of the traditional network security perimeter, organizations are having difficulty affording, implementing and managing consistent, unified access policies to distributed corporate resources. With SaaS adoption growing, there is no longer a single point of entry to corporate apps.
SafeNet authentication solutions overcome this challenge by allowing organizations to seamlessly extend secure access to the cloud through identity federation. SafeNet authentication platforms leverage organizations’ existing authentication infrastructures, allowing them to extend users’ on-premises identities to the cloud and enabling them to implement unified access control policies for both cloud and network applications. Read more about Strong Authentication for Cloud-Based SaaS Applications & Services
Providing a single point of management for defining and enforcing access controls to all virtual, cloud, and on-premises resources, SafeNet enables to extend two-factor authentication (2FA) to all users, at all risks levels, including mobile employees.
Different authentication methods and form factors address the different risk levels of users. As such, an employee that only has access to the enterprise portal will have a different authentication method/form factor than the company’s IT administrator.
SafeNet offers several methods to ensure secure access from mobile devices to network resources, email, VDIs and more:
SafeNet authentication solutions help secure access in BYOD scenarios by requiring users to register their devices. In this way, organizations may decide that only pre-registered devices may access the network or that non-registered devices require the user to provide an additional method of authentication such as a one-time passcode.
The need to implement unified access policies to SaaS applications, cloud-based solutions, and on-premise environments is essential in order to set and maintain secure access in current workforce environments, highly influenced by mobility.
Under pressure to reduce costs and prove value, IT administration staff is on a constant quest to reduce their TCO. Streamlined management includes user management, provisioning, single sign-on, strong authentication, authorization, reporting, auditing, and policy alerts integrated with LDAP/Active Directory.
SafeNet’s centrally managed authentication solutions are based on a single management platform that supports:
A fragmented IT eco-system hampers security and compliance. Securing employees’ access to enterprises resources under such a fragmented environment is indeed challenging. SafeNet authentication solutions provide a single point of management that applies consistent access controls to the entire IT eco-system. With complete use case coverage, our solutions provide over 100 seamless out-of-the-box integrations for cloud, VPN, VDI, web portals and LAN.
SafeNet ensures frictionless management for IT administrators by providing:
The desire to maintain acceptable levels of access security without burdening end users, combined with the need to support multiple devices, is leading organizations to adopt solutions that have minimal impact on the user experience. SafeNet delivers users frictionless authentication with a wide range of 2FA tokens and tokenless methods of authentication and federated SSO to the cloud.
Learn more about simple and secure out-of-band authentication with push notifications, which let users authenticate with a single tap of a button on their mobile device, while offering set-and-forget management and advanced security features.
Proof of authentication is rarely foolproof. This paper gives a detailed overview of different types of authentication methods and their underlying security mechanisms, and discusses how various methods are effective in mitigating different types of attacks.