A token effort (boom-tish)
There is a pretty good chance that if you’re here, you have a pretty good understanding of why OTP tokens aren’t going to work for most organisations. Here’s a quick refresher just in case:
- They must be deployed (and redeployed after 2-3 years) to the field
- They must be managed in the field (expensive at best, impossible at worst)
- They’ll add a non-trivial load to your helpdesk (if you have one)
- People don’t like them, as they’reĀ finding that tokens are starting to breed on their keyrings
- People don’t care about them, this means they lose and break them
- They are the ultimate in vendor lock-in.
None of these observations are earth shatteringly new, but people are beginning to see that we weren’t making these up. So much so that CNN has an article on the shift to SMS authentication by the big boys.
Basically, the banks are finding that tokens are costing them too much and are looking for alternatives. Whilst I think that the core problem tokens have is that they are physical devices, I would also contend that another of their major problems is that that are so inflexible. Tokens can’t adapt to new threats and they can’t improve. All you can do is replace them.
Authentication using a messaging medium (like SMS) allows for innovation in authentication. We can do clever things to beat emerging threats, streamline processes and improve manageability, because we have room to move. And clever things we will do. Stay tuned.