With businesses adopting a plethora of cloud-based platforms and apps, authenticating people and machines to access these services can be a real burden. Relying on traditional, static passwords or secrets is no longer adequate for securing access to sensitive data and resources.
It is time to invest in new authentication mechanisms. Just like metal keys and locks are being replaced by access cards that employees receive once their identity has been validated and their access permissions determined, token-based authentication allows access to services and resources once the requestor’s identity has been authenticated.
To mitigate the weaknesses and risks of password-based authentication, many methods have been developed. While each authentication method is unique, all fall under one of the following three categories: knowledge (something you know), inheritance (something you are), and possession (something you own).
Password authentication falls within the knowledge category because users rely on a word or phrase they have created and are aware of to verify their identity. On the other hand, authentication using biometrics, such as fingerprints, is an example of “something you are” due to its use of biological traits. Finally, token-based authentication belongs in the possession category.
Token authentication requires users to obtain a computer-generated code, known as token, before they are granted access to a network or a resource. Token-based authentication is usually used in combination with password authentication as part of a two-factor authentication (2FA).
There are two forms of tokens, hardware and software. Whatever their form, tokens are employed to ensure every request to a server is verified, similar to how passwords allow users to log into a service but offering a superb user experience. Users are not required to memorize any passwords. With the plethora of apps and services requiring access authentication, logging in with passwords leads to password fatigue.
Hardware or physical tokens are usually inserted into a USB port. The system then compares the information provided by the token with the details stored on its database and, if it is correct, the user is authorized to access the system.
On the other hand, modern web applications typically use software tokens, known as JSON web tokens (JWTs) to authenticate their users. JWTs are encoded as JSON objects and operate within an open standard for securely transmitting information between parties. In practice, user data is encrypted by an identity provider into a JWT. The service provider then stores this encrypted data and uses it to confirm the user identity in every subsequent request. This ensures that criminals cannot access user data—which is held by the identity provider—in the event of a breach to the service provider.
While these traditional token authentication systems are still in effect today, the rise of smartphones has made token-based authentication easier than ever, transforming smartphones to mobile-as-a-token authentication mechanism. Smartphones serve as code generators, providing end users with the security tokens necessary to gain access to their network at any given time. As part of the login process, users receive a cryptographically secure one-time-passcode (OTP token) which expires after 30 or 60 seconds, depending on the settings at the server end. These OTP tokens are generated either by an authenticator app on the device or sent on demand via SMS.
The key advantage of token-based authentication is that it removes reliance on weak login credentials. It can help organizations move towards a passwordless approach to identity and access management (IAM) by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.
Token-based authentication is particularly beneficial to mobile apps and platform-as-a-service (PaaS) applications. It simplifies the process of securing access to on-premise or cloud-based applications and enables organizations to actively adopt digital transformation initiatives by securely sharing their information through APIs with a wide range of customers, partners and suppliers beyond the traditional corporate perimeter.
Except for these important benefits, the use of tokens comes with many advantages such as:
Password authentication is no longer enough to contain attackers from breaking into corporate networks. Compromised or stolen credentials because of brute force attacks, dictionary attacks, or phishing campaigns are the preferred attack vector used by malicious actors.
Token-based authentication, when used in tandem with other authentication mechanisms, creates an extra obstacle for the criminals to overcome. Since tokens can only be stolen from the generator device—whether a USB key or a smartphone—token-based authorization methods are considered highly secure and effective.
Despite the many advantages token-based authentication presents, they are not immune to security risks. For example, sending OTP tokens through SMS are not a best practice, since these tokens are susceptible to SIM swapping attacks and could be intercepted or compromised during transmission. For this reason, it is highly advisable to use authenticator apps for generating OTP tokens. Even then, there is always the danger of losing the smartphone of the USB key. A stolen token together with a compromised password can be the key to all your secrets, leaving your organization vulnerable to the criminals’ malicious intentions.
Implementing a robust and effective authentication strategy is the key to protecting critical corporate assets from data breaches or security incidents. For the strategy to truly be effective, adoption and adherence to identity and credential protection best practices is required. Here are a few factors to consider when deploying a token-based authentication strategy:
The use of passwords or static secrets to authenticate users or machines accessing corporate resources is not adequate for modern enterprises migrating to hybrid environments. Organizations should adopt multi-factor authentication mechanisms while developing passwordless initiatives. Token-based authentication is the right approach towards providing a robust, efficient and effective Identity and Access Management (IAM) policy. However, as with every credential, tokens and their signing keys must be protected adequately to avoid compromise. Venafi offers the most reliable certificate and machine identity management platform. Learn more here.