The basics of multi-factor authentication: How to pick the right token

Lesezeit: 4 Minuten

Multi-factor authentication (MFA) is based on the idea that a user possesses several unique pieces of evidence which cannot be provided or accessed by a third party. This can be either knowledge like a password, biometric features like a fingerprint or a physical object like a hardware token.

Modern MFA solutions like LinOTP and the KeyIdentity MFA platform support a wide range of tokens to accommodate different use cases, risk levels and cost considerations in B2B and B2C scenarios. Here is a short overview on most common token types: hardware and software tokens, SMS and biometrics as well as QR and push tokens.

Hardware tokens: independent of the device running the application

Hardware tokens are available in various designs ranging from portable USB authenticators to keychain devices to flexible display panels embedded in identification cards. They all have one advantage in common: Since hardware tokens come with their own display and battery, they can operate independently of the device running the application.

A special type of hardware token is the standardized FIDO U2F supervised by the open-authentication industry consortium FIDO Alliance. Based on the Universal Second Factor standard U2F, users can “bring their own token” (BYOT). This means that tokens already owned can be reused at a consistent level of security

Software tokens: easy to deploy and cost-efficient

Software tokens are stored on electronic devices like smartphones. One method is to simply install an app on a mobile device, which means that users can leverage the usability of mobile platforms while retaining the proven authentication mechanisms of classical tokens.

In general, software tokens allow for an easy rollout and integration as well as lower operation costs. They generally use established standards and are easy to integrate. However, a common complaint is their dependence on the mobile platform they run upon. This makes software tokens more vulnerable to security threats compared to hardware tokens. For highly secured applications, this can be mitigated using external devices for secure storage, for example a Yubikey NEO or Bluetooth-based FIDO tokens.

Biometrics: at the tip of a finger

The rise of biometric authentication in the past years – especially fingerprint and face pattern identification – brought some interesting developments, foremost in mobile use cases. Biometric solutions are easy to use, but security issues arise when an inherently fuzzy authentication method like fingerprints or voice recognition is applied as the only means for authentication, without any other method providing a second factor.

The bottom line is that current biometric methods can be an additional factor to more secure methods in current MFA solutions when the regulatory requirements are met and state-of-the-art technologies are used.

 QR tokens: done after a simple scan

QR tokens are based on the idea that a QR code is scanned with an authenticator app in order to verify a transaction or a login. One scan, one push of a button – and the authentication is done without any additional input needed. If the data would be manipulated, the transaction could not be validated. Due to this high level of security, QR tokens are superior to other types of tokens.

The concept of QR tokens as provided by the KeyIdentity LinOTP solution also allows a secure offline authentication for laptops and mobile devices. No secret data is saved on the authenticated device. Users can easily scan the code with their smartphone and login with a TAN even when there is no connection to the backend at the time.

SMS tokens: highly flexible, but watch out for the right level of security

SMS tokens are very popular because users do not need to install any software on their smartphones. The tokens are deployed by larger consumer-oriented companies like Twitter for applications like account verification since they offer a lot of flexibility to improve security compared to a password alone. But the flexibility of SMS tokens is also their biggest weakness: The security depends on the carrier network, the mobile phone of the user and the endpoint data in the backend.

Overall, SMS tokens provide an easy-to-deploy and -maintain mechanism for one-time password authentication (OTP). They can be a viable option in low-risk environments where costs have to be at a minimum. But their security has to be considered in each use case which several attacks like “ZeuS” underline.

Push tokens: the next generation of multi-factor authentication

Push tokens are even more advanced than other tokens when it comes to fully leveraging the possibilities of modern mobile networks and platforms. A push notification about a transaction or login is sent to the user’s registered mobile device in an encrypted transmission. The user only has to review and accept the transaction or login. Therefore, push tokens provide a high user acceptance while retaining a high level of security.

Overall, QR and push tokens are the innovative alternatives to classical software and SMS tokens. They offer big advantages in cost and usability, while providing superior security for transactions and logins.

What is the ideal token?

First, the one and only token for all use cases and environments is hard to find. There are token types for a wide range of situations available though. Second, enterprise environments are changing too fast for a vendor-locked backend and token strategy. This means that businesses need to stay flexible in the choice of their authentication methods and their backend. Solutions like LinOTP offer this flexibility and enable users to easily deploy and manage a wide range of tokens.

In the end, it all comes down to the right level of security, usability and costs: Which degree of security does my transaction and data demand and what is the risk level of my business environment? Which level of usability do I have to provide to my users for full acceptance? And how much can I invest in a multi-factor authentication?

With modern software and hardware tokens we are now able to provide new set-ups and solutions. Push and QR tokens, for instance, combine the benefits of security and usability. Especially in cloud environments and high-level transactions, they represent the next generation of multi-factor authentication. Moreover, adding new external devices to software token enrollments increases their security while maintaining their usability advantages. Future-oriented MFA solutions will help businesses to tackle the challenges of cloud and transaction security as well as the increasing mobility of consumers. Stay tuned for further developments and innovations which we will discuss in our blog.

Token Types Security Usability Maintenance Costs
Hardware Tokens +++ + ++ +
FIDO U2F Tokens +++ + ++ ++
Software Tokens ++ ++ ++ +++
SMS Tokens + ++ +++ +++
Biometrics +/++ ++ ++ +
QR Tokens +++ ++ ++ +++
Push Tokens ++ +++ +++ +++


Von |2017-07-28T14:33:00+02:0028. Juli, 2017 um 14:33 Uhr|KEYIDENTITY, LINOTP|Noch keine Kommentare

Über den Autor:

Rainer Endres