3.3.3 TokensIn this paragraph the token authentication mechanism will come up for discussion. We will discuss twotypes of token-based authentication which are tokens <strong>and</strong> One Time Password Tokens, hereafter OTP. Wehave selected only these types of token-based authentication as they are most commonly used.Tokens have been used more commonly for the physical domain. Tokens can be used as a one factorauthentication process, e.g. swipe cards for door access. According to Sasse, this is a fairly weakmechanism since a token may be stolen or found by a potential attacker, who can use it until the loss/theftis discovered <strong>and</strong> the token is revoked 28 . Therefore, tokens are more often combined with anotherauthentication mechanism; e.g. the combination of bank cards <strong>and</strong> PINs for ATM being the most widelyused. OTP fall into the category of security devices that do not have to be plugged in 29 . Similar to theshape of a small pocket calculator, OTP display authentication data that users type in manually <strong>and</strong> theauthentication data changes each time a user authenticates. These tokens such as the SecurID have beenused, with apparent success, for remote access by financial institutions. On the other h<strong>and</strong>, the high cost ofreplacing lost tokens <strong>and</strong>/or lost working time has led companies in other sectors to ab<strong>and</strong>on it 28 .The secureID by RSA, is one way of significantly reducing the risk of using passwords. Unlike passwordswhich are changed every 60-90 days or longer, a secureID token works differently. On the small screen ofthe key fob the user carries with them are numbers that change every 60 seconds. The numbers displayedon the screen change r<strong>and</strong>omly to the end user are generated by a mathematical algorithm that is onlyknown to the enterprise security server 30 . There are however weaknesses by using only this approach. Forinstance, if someone is able to steal or fraudulently obtain the key fob <strong>and</strong> they also know the user's id,then they will be able to successfully masquerade as the identity 30 . According to Anderson, token-basedauthentication requires token construction <strong>and</strong> distribution, which is far from trivial <strong>and</strong> has led todocumented financial loss 31 .The token must be physically presented to the computer system, whichrequires additional hardware for reading the token. Both token <strong>and</strong> token reader cost money, <strong>and</strong> a readermust be available at every point a user might be authenticated. As costs of tokens <strong>and</strong> readers become less,this will be less of an issue. However, presentation of a valid token does not prove ownership; the tokenmay have been stolen. And although a token may be hard to forge, it does not mean it is impossible oruneconomic to do so 32 . Without two-factor authentication, stealing the device would allow an attacker toimpersonate the owner of the device; with two-factor authentication, the attacker would still have anotherauthentication burden to overcome 33 .The city of Turin had undertaken a trial to perform the first large-scale attempt to issue smartcards tocitizens for access to services <strong>and</strong> payment of local taxes (Torinofacile 2003). Based on 2,655 smartcardsissued, the number of tokens that were lost in the post/stolen in the first six months was low (16). Themajority of citizens who registered for the card were male, well educated <strong>and</strong> aged between 19 <strong>and</strong> 45; thenumber of cards issued to males was three times higher than for female citizens. Since most home <strong>and</strong>small business PCs are currently not fitted with smartcard readers, the trial issued digital certificates forusers who needed them. The initial phase has seen a high number of calls to the helpdesk, the majority ofwhich (83) were due to problems with using these digital certificates. The second most frequent problemwas that personal details registered about the owners of the cards were incorrect. These insights offersome pointers as to logistical aspects <strong>and</strong> the costs that are likely to be associated with issuing such tokens16
to a large number of citizens. At the same time, small businesses, single traders <strong>and</strong> professionals reportsignificant time savings <strong>and</strong> benefits from online access <strong>and</strong> payments compared to paper-based system<strong>and</strong> access restricted to office hours. Smartcards can offer additional usability benefits: once the loginprocedure is completed, the token can be used to carry sessions from one machine to another, thusremoving the need to log out or lock the screen when leaving the machine unattended for brief periods.They can also offer additional security features for applications such as credit cards.One usability concern arising from the increasing popularity of tokens is that users may end up being‘weighed down’ by a collection of tokens that they find hard to manage. There are two possible ways inwhich this might be prevented 28 :• Single tokens carrying multiple credentials. A single token, such as a smartcard, could be used tostore users’ credentials for multiple systems. The single token could either store data for multipleidentification <strong>and</strong> verification mechanisms operated by different organizations (providing the userwith a personal ‘credential/password manager’), or have a single strong verification (providing theuser with a ‘magic key’). Both approaches would require an open st<strong>and</strong>ard for credentials, <strong>and</strong> thesecond would also require agreement on a single form of authentication <strong>and</strong> a high degree of trustbetween participating organizations. The ‘magic key’ model would create less work for the user, butalso create a single point of attack;• Miniaturization of tokens. Organizations continue to issue their own tokens <strong>and</strong> decide their ownaccess control mechanisms, but the tokens are so small (for example, RFID chips) that users cankeep all of their tokens on them at all times, for example, in a smartcard-type device to whichindividual chips can be added.3.3.3.1 Recapitulation & analysis<strong>Usability</strong> aspects:• Effectiveness: the users’ goal with effectiveness is to get access to a building or remote access asaccurate <strong>and</strong> complete as possible. If the token does not work, the user is able to get it solved by thedepartment in question or person responsible. With regards to an OTP, users in most cases receive anew token when having problems connecting. However, in a normal situation this aspect isapplicable for both types. This aspect is therefore considered when using tokens <strong>and</strong> OTP;• Efficiency: the users’ goal with efficiency is to get access to a building or remote access as accurate<strong>and</strong> complete as possible, using minimal resources (e.g. time). Users are able to use tokens forphysical access, using the swipe principle. With regards to an OTP token, a user needs to rememberhis/ her key fob <strong>and</strong> enter the code which is indicated on the screen of the OTP token. In this caseboth are efficient to use. This aspect is therefore considered when using tokens <strong>and</strong> OTP;• Satisfaction: the users’ goal with satisfaction is a positive attitude towards getting access to abuilding or remote access, without encountering any discomfort. Users use the token for physicalaccess <strong>and</strong> OTP for remote access. If the token does not work, the user is able to get it solved by thedepartment in question or person responsible within an acceptable timeframe. With regards to anOTP, users in most cases receive a new token when having problems connecting, thus the user willnot be able to get remote access. This aspect is therefore only considered for tokens.17