Two factor authentication methods are based on a variety of technologies, most prominently one time passwords (OTPs) and Public key infrastructure (PKI). What is the difference, and which should you use for your organization?
One time passwords (OTPs) are a form of ‘symmetric’ authentication, where a one-time password is simultaneously generated in two places—on the authentication server and on the hardware token or software token in the user’s possession. If the OTP generated by your token matches the OTP generated by the authentication server, then authentication is successful and you’re granted access.
PKI authentication is a form of ‘asymmetric’ authentication as it relies on a pair of dissimilar encryption keys—namely, a private encryption key and a public encryption key. Hardware PKI certificate-based tokens, such as smart cards and USB tokens are designed to store your secret private encryption key securely. When authenticating to your enterprise network server, for example, the server issues a numeric ‘challenge.’ That challenge is signed using your private encryption key. If there’s a mathematical correlation, or ‘match,’ between the signed challenge and your public encryption key (known to your network server), then authentication is successful and you’re granted access to the network. (This is an oversimplification. For more details, watch The Science of Secrecy videos by Simon Singh.)
When it comes to authentication, one size does not fit all. Below are several considerations to keep in mind when choosing the method or methods best suited for your organization:
While OTP authentication, for example with OTP apps, may provide sufficient protection for most enterprise use cases, verticals that require higher levels of assurance, such as e-government and e-health, may be mandated to use PKI security by law.
In PKI authentication, a private encryption key is used, which is non-transferrable when stored in a hardware token. Given its asymmetric nature, PKI is used in many parts of the world for higher assurance use cases. However, the security of OTP is also being increasingly recognized by many sectors, for example, healthcare in the US, and satisfies the DEA’s EPCS requirements when a FIPS-compliant OTP app is used.
Depending on regulations relevant to your industry, the hardware or software token you deploy may need to comply with FIPS 140-2 in North America or Common Criteria in other regions of the world.
Where a combination of physical and logical access is required, hardware tokens that support RFID-based physical access control may be preferred. Learn more, visit our Physical and Logical Access Control solutions page.
Regardless of the two-factor authentication technology being used, security can be elevated when assessing additional contextual attributes of a login attempt, such as various device and behavior-based variables. Learn more, visit our Context-based Authentication page.
Different authentication technologies are effective in countering different threats. For a survey of authentication methods and the threats they counter, download the Survey of Authentication Technologies White Paper