Salt Group principal Ross Oakley has told AusCERT delegates that the 20-year life cycle of token-based authentication is drawing to a close. “They managed the risks of the day,” he said, but “business flexibility, a much more hostile risk landscape, and demanding end users” are driving the change.
Usability – both for the retail and business user – is the killer, he said. There are too many steps in the process of using a token, the user interfaces too constrained, and there’s too many opportunities for errors.
“I have to put 24 keystrokes into a token to get a code,” he said. “They cannot survive, because they’re almost unusable.”
Discussing Salt’s mSign product – a mobile-based authentication solution – he said the modern smartphone now offers a platform much more suitable for transaction authentication.
The richer interfaces available to the smartphone user also mean that what’s captured when a transaction is authenticated, means more transaction detail can be captured –something that reduces the bank’s risk in the transaction.
Mobile platforms are also able to offer more sophisticated app capabilities, Oakley said. For example, unlike the static configuration of tokens, apps can be configured for more flexibly.
Salt Group also believes it has overcome mobile platform threats, with the app registered to a specific device to mitigate against attacks based on compromised mobile browsers.