Choosing a Replacement for Incumbent One-Time Password Tokens

Transcription

1 Research Publication Date: 21 April 2011 ID Number: G Choosing a Replacement for Incumbent One-Time Password Tokens Ant Allan This research outlines the options for enterprises seeking replacements for incumbent one-time password (OTP) hardware token deployments, along with guidance on how to choose among alternatives. Authentication is fundamental to trust relationships, so it's vital that enterprises make properly informed choices. Key Findings OTP hardware tokens are still widely regarded as the standard authentication method in workforce remote access and other use cases, but they can be expensive and offer poor user experience (UX). OTP hardware tokens are not well-suited to use with smartphones and other mobile devices, the use of which are rapidly increasing for access to enterprise systems, banking, e-commerce and so on. The recent breach at RSA, The Security Division of EMC, has raised concern about the robustness of RSA SecurID (the market-leading OTP hardware token) in particular, and of other OTP hardware tokens in general. Recommendations When choosing a replacement authentication method, apply the same criteria that you would when choosing a new authentication method from scratch: Consider the level of assurance (and accountability), the total cost of ownership (TCO) and UX. Review your needs critically: Don't assume they're unchanged from when you decided to deploy OTP hardware tokens in the first place. Remember that all authentication methods can be broken or bypassed, so don't neglect security monitoring, fraud detection and other layered controls Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website,

2 ANALYSIS Many enterprises have deployed OTP hardware tokens, typically for workforce remote access and external user access. However, enterprises are increasingly sensitive to the cost of this authentication method and the relatively poor UX, especially when used for mobile access. Also, recent events have raised concerns about the robustness of the market-leading product, RSA SecurID. Thus, some enterprises are critically reviewing their deployments. What alternatives are available to such enterprises? How can an enterprise choose among them? This research provides guidance on these choices. Why Is Your Enterprise Considering an OTP Hardware Token Replacement? Gartner has clients asking about OTP hardware token replacements for the following reasons: The Current Tokens Need Replacing Every Three to Five Years, at Significant Cost. Some vendors offer tokens with a limited lifetime, or three to five years, while other vendors offer tokens without user-replaceable batteries, so the tokens stop working (unpredictably) when the batteries expire. The Current Tokens Are Too Expensive to Issue to Large Numbers of New Users. This arises particularly when remote access is being extended to a larger part of the workforce, or when high-value systems are being rolled out to external users (business or consumer). The Current Tokens Provide Poor UX. This is a particular concern for enterprises with users who have an elective relationship with the enterprise, and who might take their business elsewhere if they find tokens too much trouble, compared with what competitors are using (see "Good Authentication Choices for External User Access"). Increasingly, Gartner also sees push-back from workforce users accessing corporate systems from smartphones (even when they've tolerated using tokens for access from PCs), partly because of the inconvenience of juggling two handheld devices, and partly because UX expectations are higher on smartphones than on PCs. However, it should be noted that most of the options have no better or worse UX, or they demand a trade-off in assurance level (AL). Proven options with high AL and good UX have yet to emerge. The Current Tokens May Provide Less Assurance Than Originally Thought. This was prompted by a recent attack on RSA, The Security Division of EMC (see "RSA SecurID Compromise Is of Concern, but Likely Not a Fatal Flaw"). Clearly, RSA SecurID is the focus of most clients, but some have expressed concerns about similar attacks compromising other vendors' OTP hardware tokens. Although this is possible, it depends on the details of the vendor's technical implementation. For existing RSA SecurID customers, it is likely much faster and cheaper for an enterprise to distribute replacement RSA SecurID tokens those shipped since the attack was announced are not compromised than it is to migrate to a new solution. We understand that some RSA Publication Date: 21 April 2011/ID Number: G Page 2 of 11

3 SecurID customers already have received replacement tokens, although we don't know under what terms. However, what the attack has highlighted is the need for robust management practices to protect the integrity of the authentication infrastructure (including backups and other mirrors of user identity information and credentials), for good user and administrator behaviors, and, in particular, for active monitoring of user behavior. No authentication method is fail-safe, and good monitoring is essential to avoid fraud and other misuse (see "Where Strong Authentication Fails and What You Can Do About It" and "Discover Data Breaches With Security Monitoring and Fraud Detection Technologies"). What Alternatives to Its Existing OTP Hardware Tokens Can Your Enterprise Consider? An enterprise might consider the options shown in Figure 1, Figure 2, Figure 3 and Figure 4, which are, roughly, in order of increasing difference from the current "baseline" method, which is assumed to be an OTP hardware token with a display, but no PINpad this is the most common type. (With this kind of token, a PIN or password is sent across the Internet along with the generated OTP, exposing the PIN or password to a variety of PC-based and network-based attacks.) In each figure, the "Driver" column indicates which goal is most likely to prompt the consideration of this method: higher AL (or higher accountability), lower TCO or better UX. The "AL," "TCO" and "UX" columns show how each method compares against the baseline method (see the "Which Provides the Bigger Potential Cost Savings: Changing Method or Changing Vendor?" section of this research). Publication Date: 21 April 2011/ID Number: G Page 3 of 11

4 Figure 1. Other OTP Tokens Publication Date: 21 April 2011/ID Number: G Page 4 of 11

5 Figure 2. Phone-Based Authentication Methods Phone-based authentication is now more popular than OTP hardware tokens in new deployments (see "Predicts 2011: Identity and Access Management Continues Its Evolution Toward a Strategic Discipline"). However, when the user is using a smartphone to access enterprise systems, the level of assurance is lower because there is no longer a discrete physical token (thus, it's equivalent to using a PC OTP software token for access from a PC; see Figure 1). Publication Date: 21 April 2011/ID Number: G Page 5 of 11

6 Figure 3. Other Tokens Publication Date: 21 April 2011/ID Number: G Page 6 of 11

7 Figure 4. Biometric Authentication Methods and Knowledge-Based Authentication Methods Note that other biometric technologies such as voice and face topography might be considered and can suit multiple use cases, but are far less proven in the market. The choice needn't be "all or nothing": Several authentication vendors nearly all the major ones offer an infrastructure (an on-premises appliance or server software, or a cloud-based service) that supports multiple authentication methods for different users in different use cases. So, for example, an enterprise might retain OTP hardware tokens for some users (such as those with time-critical, higher-risk access), while migrating to out-of-band (OOB) authentication for Publication Date: 21 April 2011/ID Number: G Page 7 of 11

8 others (such as those with an occasional need for lower-risk access). Talk to your OTP hardware token vendor to see what alternatives it can support in parallel. Which Provides the Bigger Potential Cost Savings: Changing Method or Changing Vendor? The "TCO" column in Figure 1, Figure 2, Figure 3 and Figure 4 is based on average costs across all vendors. So, a downward arrow indicates an alternative method that has typically lower TCO than OTP hardware tokens across all vendors very often with a lower licensing cost; however, similar (or even higher) licensing costs can be offset by lower overheads (see "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership"). Thus, an enterprise can generally achieve cost savings by switching to a "low cost" alternative from the same vendor (if it offers that option, of course), although some vendors may have anomalous pricing. However, given the wide range of prices for different methods from different vendors (see "How Much Is That Token in the Window? What You Should Expect to Pay for New Authentication Methods"), it is possible to make a bigger cost savings by migrating to OTP hardware tokens from another vendor than by migrating to a "lower cost" alternative from the incumbent vendor. The biggest cost savings can be achieved by migrating to a "lower cost" alternative from a "lower cost" vendor, of course but the enterprise must ensure that this still meets its needs (see the next two sections). Other cost savings may be possible by changing the delivery method for example, by moving from on-premises server software to a cloud-based service. What Should You Consider When Choosing Among These Different Options? When choosing a replacement authentication method, it shouldn't be assumed that the existing OTP hardware tokens are the best fit for your enterprise's current needs. Many decisions to use OTP hardware tokens were made when fewer options were available. Furthermore, the situation may have changed along multiple dimensions: the kinds of systems accessed, the threat landscape, and users' wants and needs (especially with regard to their endpoint device preferences not just mobile devices, but also "bring your own PC to work" initiatives). It may be useful to revisit the basis for the original decision, but interactions with Gartner clients and vendors' reference customers suggest that these were not always well-documented, or the documents were not retained. In any case, you should consider your current needs as if you were choosing a new method from scratch. The choice of any authentication method is determined by: The required level of assurance and accountability, determined by the level of risk and the need for nonrepudiation in each use case. TCO, limited by what can be justified by the enterprise's available budget. What can be justified is, in turn, determined by the level of risk. UX, determined by users' wants and needs. External users may be particularly sensitive to poor UX (we know that banks have lost a small percentage of customers because of this), but poor UX can drive behavior that compromises security: Users may, for example, take steps to make the method easier to use for example, by writing a token's PIN on a sticky label on the token. Publication Date: 21 April 2011/ID Number: G Page 8 of 11

9 Other needs or constraints: For example, if there is a need to support digital signature or endpoint encryption, or a desire to adopt a common access card, then a smart card with public-key infrastructure (PKI) credentials might be preferred. This general approach is set out in "How to Choose New Authentication Methods." The following research discusses the strengths and limitations of candidate authentication methods in different sets of use cases: "Good Authentication Choices for Workforce Local Access" "Good Authentication Choices for External User Access" "Good Authentication Choices for Workforce Remote Access" What Influences Your Decision to Move to a Different Authentication Vendor? An enterprise should evaluate the following when considering changing an authentication vendor: Do you have enough time to migrate to the new solution? Many enterprises consider migrating to a new method or vendor within months of the contract renewal date. This may not be enough time to research, select, negotiate contracts for and implement an alternative solution. Implementing smart cards with PKI credentials, for example, can be particularly time consuming, especially if an organization also wishes to integrate building access systems (that is, a common access card approach), and can push out the replacement of OTP hardware tokens by 12 months. The time available should not dictate the enterprise's choice, so enterprises should look at least a year ahead when making such a decision under normal circumstances. Can the new vendor's offering support all the platforms that the incumbent vendor's does? Most OTP hardware tokens are deployed to support workforce remote access and external user access; thus, most vendors' offerings will support these use cases and can be easily integrated with most Secure Sockets Layer and IPsec VPNs, and also with many Web and application servers. However, for some instances of workforce local access such as users' PC and network logins and administrators' server logins where one vendor's OTP hardware tokens are used, it may be harder to find an alternative. (It should be easy to migrate to another method from the same vendor, which typically doesn't involve a change in the authentication infrastructure, of course.) Does the new vendor offer alternative delivery options? To date, most enterprise OTP hardware token deployments are based on on-premises server software, although more recent ones may have already taken advantage of alternative delivery options, such as on-premises hardware appliances or cloud-based managed authentication services. Rack-mounted hardware appliances are popular among some enterprises across a range of security products because they provide a more robust platform, in addition to potential TCO savings. Cloud-based services have been taken up mainly by small and midsize businesses, and, among enterprises, mainly by government and higher education vertical industries. However, as enterprises gain confidence in moving a variety of applications to the cloud, we expect to see increasing interest in this delivery option. In particular, it seems to offer the easiest way to implement new authentication methods for access to applications in the cloud. Publication Date: 21 April 2011/ID Number: G Page 9 of 11

10 What are the "rip and replace" costs? Migration costs are likely higher than the cost of implementing a new authentication method from scratch, because of the overheads of managing the transition and the costs of decommissioning the old infrastructure. Even if the replacement is similar, there may be sufficient differences to prompt many user calls to the help desk. Retraining administrators may be harder than training them in the first place, because of the cost of "unlearning" the old ways of managing the system. These costs might be offset by a reduction in licensing costs, compared with a first-time implementation, because a new vendor may offer a "competitive upgrade." Can existing tokens continue to be used until they expire? Many enterprises will be reluctant to throw away usable tokens. A vendor may be able to support existing tokens on its own infrastructure. This is typically true where existing tokens are compliant with the Initiative for Open Authentication (OATH) specifications. In addition, some vendors can also support proprietary tokens, typically RSA SecurID. Alternatively, a vendor may be able to run in parallel with the incumbent infrastructure for as long as necessary, acting as a proxy to the old authentication server for users who are identified as "old token" users. Additional analysis and review by Mark Diodati. RECOMMENDED READING Some documents may not be available as part of your current Gartner subscription. "How to Choose New Authentication Methods" "Good Authentication Choices for Workforce Local Access" "Good Authentication Choices for External User Access" "Good Authentication Choices for Workforce Remote Access" "Where Strong Authentication Fails and What You Can Do About It" "Q&A: Phone-Based Authentication Methods" "Q&A: Biometric Authentication Methods" "Q&A: Smart Tokens and Common Access Cards" "Gartner Authentication Method Evaluation Scorecards, 2011: Overview" "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership" "How Much Is That Token in the Window? What You Should Expect to Pay for New Authentication Methods" Publication Date: 21 April 2011/ID Number: G Page 10 of 11

11 REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 21 April 2011/ID Number: G Page 11 of 11