Token-Based Authentication Can Provide Protection and Convenience
As part of the Cyber Command’s authentication process, team members use physical tokens to access the systems they work with. The tokens are compliant with FIDO authentication protocols, standards developed by the nonprofit FIDO Alliance industry association, which offer some of the strongest multifactor authentication possible, Ahern says.
When employees needed to begin working from home in March 2020 due to the COVID-19 pandemic, the agency’s tokens helped make the transition fairly easy.
“We already had laptops distributed to our user population,” Ahern says. “We already had security keys. People picked up their laptops, had their keys in their pockets, went home and continued to work — with no configuration changes, no change to the presentation of the applications they were using in their daily lives.”
What Are Security Tokens Used For?
Security tokens can help validate a user’s identity, potentially in tandem with a password-based form of identity confirmation.
Physical tokens may need to be inserted into a device for authentication to occur; some versions will exchange identity-related information with nearby devices, such as a computer, via a wireless connection.
Other tokens work completely digitally, generating a code, for example, that can be sent to the user’s cellphone and entered manually into a computer or automatically pushed to the machine to grant the user access.
Digital security tokens may transmit authentication-related information using a wireless or cellular connection. Some — such as Duo’s multifactor authentication solution, which the city and county of Denver began using about a year and half ago, according to Chief Data Officer Paul Kresser—also offer an offline mode that allows the solution to operate in the absence of Wi-Fi or cellular connectivity.
Physical security tokens generally are plugged into the USB port in a computer or other device, or communicate with devices through near-field communication, according to Ahern.
“NFC is how Apple Pay works,” he says. “It’s using this kind of very low energy, which means you have to be very close to intercept it.”
Hardware vs. Software Security Tokens: What's the Difference?
Physical tokens, Ahern says, often provide a robust level of security against cyberthreats such as phishing attacks — more so than just a password, because a hacker would need to possess the device or find a way around the hardware protections present on a FIDO-compliant model.
“A key typically has a gold disk, or something you touch,” he says. “The authentication cannot complete unless you’re physically touching something. Because of the two pieces of technology, the test of presence and Trusted Platform Module — a specialized computer chip made to only, and very securely, do cryptographic things — if you’re using a FIDO key, you can prove that it’s you.”
Depending on the specifics of their role, some employees may be better suited for a hardware token.
“Not everyone has a city-issued phone,” Ahern says. “A token is something the city can provide when a person doesn’t have a phone.”
Physical token use may pose some challenges: The rollout can be time intensive, tokens can potentially cost more to set up than digital tokens, and there’s always a chance users might lose or damage them.
However, Ahern has found people don’t tend to misplace them or need a replacement more often than they would for door keys or ID cards. And if a token is lost or no longer usable, issuing a new one is fairly simple: The previous token is disassociated with the user in the agency’s identity and access management solution, a new key is provisioned and distributed, and the service desk can confirm the person’s identity remotely.
“For example, you open a video chat and say, ‘I lost my key,’” Ahern says. “We’d say, ‘OK, we’re going to give you a one-time code, a number that you can use as part of this authentication process, but it’s only going to work for 36 hours until we FedEx you your key, or you come into the office tomorrow and we give you a new one.’”
How Do State and Local Agencies Use Security Tokens?
Denver employees had been using physical tokens prior to adopting Duo’s digital system roughly a year and a half ago, Kresser says.
Hardware versions are still used by a few. For example, an employee might plug a USB-based token into a laptop when in court or the city attorney’s office, where phones aren’t allowed. Most of Denver’s 15,000-plus employees, though, use the solution to receive a push request, call or text to authenticate their identity through channels such as a registered mobile device.
“When I start work in the morning, the first thing I do when using my laptop at home is get an authentication request when I log in to our enterprise resource planning system,” Kresser says. “With any of our federated apps, I have to authenticate again; it could be multiple times a day where I’m asked to authenticate.”
If, for instance, Kresser’s credentials were compromised when a bad actor tried to use them to access the system, because Kresser’s contact information is registered in it, he — not the hacker — would receive the push notification from Duo, alerting him that something was amiss.
“In that instant, as I’ve been properly trained, I deny the request, and I report that my account’s likely been compromised,” he says. “It’s that added layer of protection. Even if our credentials are compromised, we still have multifactor authentication in place. We still have that physical device — my phone — that you have to get through to actually access any of our data.”
The digital token’s implementation and oversight, Kresser says, has been fairly easy to manage.
“From an administrative perspective, we can deploy this enterprisewide,” he says. “You don’t have all the overhead of managing all these physical devices that can get lost or broken — people needing to come into the office to swap or replace them, keeping the inventory — the digital tokens offer much more flexibility in that respect.”
A Continuous, Layered Approach to Risk Management
In response to the escalating amount of cybersecurity risk, a number of state and local government agencies have moved away from relying primarily on users identifying themselves when they initially try to enter a system to a more continuous, layered approach.
The increased amount of technology that’s being used to deliver services, coupled with threat actors’ accelerated pace, likely means cyberthreats aren’t going away anytime soon, according to Ahern, who suggests security tokens could potentially be one of the tools state and local governments use to address areas of risk, beginning with items that would present a substantial challenge if compromised.
“You don’t have to start out boiling the ocean,” he says. “You can say, we have these sets of servers, which support this critical application, and a small set of users that administer the application. So, we can start by utilizing keys for this use case, and you can use that to figure out the support framework and engage stakeholders, articulating that resilience and reliability are fundamental aspects of city services. Having that discussion in an open and frank manner will be the driver of change.”