We know that the willingness of the users to carry yet another piece of hardware with them is small. But we also know that this is the only way, in order to actually protect a system access from attacks with a second factor.
CosmoKey is small, easy to handle, has a durable white plastic cover, being comfortable to use. But: it must be carried by the user. In times, in which the technological motto is „less is more“, this is not an insignificant aspect. Is a token still up-to-date? And why to resort to a token, when there are variants of the authentication without token? Is a token still up-to-date?
Because everything else is not secure. The authentication over Smartphone or Tablet seems at first sight practical, but does not convince under any circumstances on the topic security. The authentication over Smartphone brings only a small security advantage. Usually unsatisfactory security precautions in the case of smartphones and the interface to the Internet offer best conditions to aggressors. If the Smartphone or the PC is infected with harming software, data exchange can be intercepted and the codes looking after the supposed security are useless.
The biggest of all weak points lies in the case of the authentication without a token, in the separation of the two authentication paths. If for example a One Time Password (OTP) or a USB stick is used, then a connection between the device, on which the Login takes place, and the device which is used as additional factor, is made. In the first case, the OTP is entered in the place, in which also the Login takes place. With a USB stick, a direct connection to the terminal of the user exists through the interface. Precisely this connection is the biggest weak point and the point of attack for hackers.
Â In addition, the penetration of uniform safety standards makes the use of private hardware for professional purposes more difficult (BYOD, Bring your own device) . Weak points on mobile devices frequently remain open – and thus become the weak point for IT-security. At the same time, the large spreading, the ever larger use spectrum and the quantity of the data, which is found on the devices ensures that mobile devices become an increasingly attractive goal for aggressors.
Authentication Apps have the advantage that the security codes are not be transferred via Internet. However, all the other security weak points described above remain standing: If the smartphone is infected, the security codes can also be concerned.
Also when using USB sticks there are non-secure components. For example if the USB connection of the computer is not closed, everyone can carry data from the company through this interface. And alien USB stick can cause much mischief in operating systems. To this has to be added that different devices have different interfaces, for which suitable adapter cables are needed.
In the case of all the described authentication methods, there is no physical separation of the authentication channels. Both with One Time Passwords (OTP), Authentication Apps or USB stick there is direct connection of the second factor to the device, on which the Login also takes place. This connection practically leaves the principle of a classical two factor authentication out.