Are you or your organization re-evaluating its use of SecurID tokens following the RSA breach? After the March attack on RSA, where hackers stole information later used in an attack on U.S. defense contractor Lockheed Marin, RSA was forced to offer replacement SecurID keys to all its tens of millions of customers. The recent data breach at RSA security is encouraging IT professionals to re-evaluate alternative authentication methods and to reconsider the safety of token based authentication.

Dedicated tokens, like the ones produced by RSA, provide a onetime password typically every 60 seconds and have been the traditional approach to two factor authentication for many years. More recently, tokenless solutions have been the talk of two facto authentication mainly for their ability to deliver one time passwords on demand to a standard mobile phone or smart phone. Most people carry one of these devices with them all the time.

A tokenless solution eliminates the need to carry a separate piece of hardware, such as a keyfob, and reduces the costs and time associated with provisioning new and replacement tokens. Tokens remain the most used solution for frequent users who rely on getting secure remote access to systems and information from any computer at any time.

Two factor authentication has become an IT security necessity for many reasons. Threats are increasing in frequency and sophistication. Industry regulators like PCI DSS, FFIEC, HIPAA and Sarbanes-Oxley require it. Your employees, customers and shareholders expect you to protect the sensitive data you are storing and transmitting on their behalf.

Security tokens and many other forms of two factor authentication have proven to be inconvenient for your users, troublesome for your IT department, and expensive to implement and support. Phone based authentication provides strong two factor security with the easy and convenience your users and your IT department demand at a fraction of the cost.

Tokens and other similar devices don’t protect against emerging threats, such as man-in-the-middle-attacks. Out of band authentication, which utilizes a separate channel for the second factor of the authentication, is widely recognized as a best practice for two factor authentication. Any device, such as a security token, keyfob, usb token and soft token, which requires an OTP to be keyed into the original login interface, don’t meet the criteria for out of band authentication and are vulnerable to attack.

Token based systems require training and requires users to change their behavior. Sometimes users have a difficult time remembering which order the PIN and token digits are entered. Some systems require administrators to modify applications before they will work.

Since some security tokens must be mailed, provisioned, inventoried and replaced, they require IT resources to deploy and support. An IT department can become a material part of the total cost of ownership for a token solution because of lost security tokens, expiring tokens that must be re-provisioned every 2-5 years and tokens can get out of sync, meaning the one time password that is generated is not the same one the login application is expecting.

Tokenless two factor authentication doesn’t require security tokens or other devices to deploy or manage and no software or certificates for end users to install so it requires very little effort to implement and virtually no ongoing support.

Tokenless two factor authentication is much more cost effective to implement because there are no needs for a huge IT department, security tokens or other devices and require minimal training to use. Most tokenless two factor authentication solutions have a low annual fee per user or per authorization, no hardware to purchase or install, no security tokens or devices to manage and users replace their own lost or damaged phones.