a u t h e n t i c at i o n
like cellphones. We aren't intimidated by an item we use in our everyday lives.”
Is SMS superior? In answering the question directly on whether SMS-based authentication is superior to security tokens, Philip Lieberman, president of Lieberman Software and chief blogger at IdentityWeek, said, “It’s really a toss-up with no right answer. SMS-based authentication is technically inferior to hard tokens in that the transmission could theoretically be intercepted and used by an intruder. In practice, the SMS method is superior since the organisation does not have to worry about token distribution or lost tokens and this is a less expensive and generally a more easily deployed methodology. Most of the cost and complexity of hard tokens revolves around configuration and distribution.” One could easily argue that the safest bet resides in looking at how the application itself is used, and in comparing the
N E X T H OR I Z O N S
“Rather than choosing one practicality and ease of use of method over the other, it's all the two solutions. Not only about selecting the right solution that, but given the case of for the specific information you employee hacking at RSA, the want to protect. It could be that security privileges granted of search you want a combination of both, each user should match the results for where in some cases you use level of defense used to protect katrina kaif SMS, and in others, it's tokens. that user. High profile targets For example, you may use SMS may require additional security result in for most employees, but use mechanisms or even a “new malicious sites tokens for your IT administrators defense doctrine.” who have direct access to your "Neither approach is necessensitive information. The bottom line is, sarily superior or inferior," said Andrew organisations should make sure they mainYoung, VP of Authentication at RSA rival tain that freedom of choice when planning SafeNet. "When you consider your options their authentication approach." for authentication methods and form factors, you need to address three key areas: —Victor Cruz is a consultant and writer living in risk, cost, and user experience. SMS-based Boston whose articles have appeared in Comauthentication is one option for strong mPro.biz, CSO Magazine, Harvard Review, Mediauthentication and, depending on what the cal Design Technology, and WebSecurity Journal. activity (use case) is, the level of risk associ— This article has been reprinted with permission ated with that activity, the cost to deploy, and from CIO Update. To see more articles regarding the experience required by the user… it's one IT management best practices, please visit www. of many choices. cioupdate.com.