Would you like your tokens hard or soft?
The physical RSA token has been increasingly replaced by the software token over the last few years. Hardware tokens as key rings or software tokens as apps on your smartphone? What are the pros and cons for the user?
If our customers want to access their systems, they must have remote access with two-factor authentication (2FA). For this purpose, aspectra has been successfully using the same product, the RSA SecurID, for 18 years . An RSA SecurID token generates a 6-digit code every 60 seconds. The combination of user name and a 4-digit PIN guarantees the 2FA.
For the last few years, we have also been offering software tokens through a smartphone app as an alternative to the hardware token. In contrast to the conventional token, a software token requires an activation code instead of hardware. This QR code has a limited validity of 7 days and is dependant on the OS. So setting up is not necessarily easier for us or our customers, but is at least faster. A new activation code must then be requested each time a smartphone is changed. In the meantime, self-activation measures are underway to simplify this process.
The advantages of soft tokens are apparent:
- The smartphone is always at hand. We save ourselves having to lug around an additional object which might get lost in the process
- The depot for the hardware token is eliminated with the soft token.
- Access to the app is additionally protected by the smartphone with PIN, fingerprint or face recognition.
The downside:
It is precisely because the smartphone is always around that the risk of failure (defective, lost, stolen) increases. The dependency on the smartphone is therefore even greater. Owners of a private smartphone must also consider whether an app that is used for business purposes is in the right place. In addition, in order to access the token code, the smartphone must first be unlocked and the soft token app opened while the hardware token is permanently available.
The hardware token could theoretically be used by several people. This is not, however, in the interests of safety. Each co-user would have to remember the PIN or it would have to be stored somewhere. The traceability of who authenticated themselves when and where would therefore no longer be guaranteed. Therefore, an RSA account at aspectra is always personal.