How Does Token-Based Authentication Work?

As a managed services provider (MSP), cybersecurity is never far from your mind. Recent research estimates the damages from cybercrime will reach a startling $6 trillion per year by 2021, up from $3 trillion in 2015. To keep these costs at a minimum for your customers, it’s your responsibility to not only understand best practices for user and network security, but also to communicate them to relevant end users. After all, your customers rely on your team to guide them through the ever-evolving IT landscape.

While a plethora of network authentication methods currently exist to help aid in the execution of a robust security strategy, token-based authentication is a favorite among many MSPs. By pairing this tried and true process with other comprehensive security measures, MSPs help keep their customers safe from security breaches that put their bottom line—and their reputation—in jeopardy.

What is token-based authentication?

Token-based authentication is just one of many web authentication methods used to create a more secure verification process. Other web authentication methods include biometric authentication and password authentication. While each authentication method is unique, all methods fall under one of the following three categories: knowledge (something you know), inheritance (something you are), and possession (something you own).

Password authentication falls within the knowledge category because users rely on a word or phrase they’ve previously created to verify their identity. Biometric authentication is an example of “something you are” due to its use of biological traits, like fingerprints. And last, but certainly not least, token-based authentication belongs in the possession category.

Token authentication requires users to obtain a computer-generated code (or token) before they’re granted network entry. Token authentication is typically used in conjunction with password authentication for an added layer of security. This is what we refer to as two-factor authentication (2FA). That means even if an attacker successfully implements a brute force attack to take out any password in place, they’ll have to also bypass the token authentication layer. Without access to the token, gaining access to the network becomes increasingly difficult. This additional layer discourages attackers and can save networks from potentially disastrous breaches.

How do tokens work?

In many cases, tokens are created via dongles or key fobs that generate a new authentication token every 60 seconds in accordance with a known algorithm. Due to the power these hardware devices hold, users are required to keep them safe at all times to ensure they don’t fall into the wrong hands. As such, team members must relinquish their dongle or fob when their employment ends.

The most common token systems contain a header, payload, and signature. The header consists of the payload type as well as the signing algorithm being used. The payload contains the claims, which are simply any statements pertaining to the user. The signature is exactly what it sounds like—the signature used to prove that the message hasn’t been jeopardized in transit. These three elements work together to create a highly efficient and secure authentication system.

While these traditional token authentication systems are still in effect today, the rise of smartphones has made token-based authentication easier than ever. Smartphones can now be augmented to serve as code generators, providing end users with the security passcodes necessary to gain access to their network at any given time. As part of the login process, users receive a cryptographically secure one-time passcode that is time-limited to 30 or 60 seconds, depending on the settings at the server end. These soft tokens are generated either by an authenticator app on the device or sent on demand via SMS.

The advent of smartphone token-based authentication means that most staff already have the hardware to generate the codes. As a result, implementation costs and staff training are kept to a minimum, making this form of token-based authentication a tempting option for many companies.

Is token-based authentication secure?

As cybercriminals advance, so must the protection practices and policies that MSPs put into place. Due to the rising use of brute force attacks, dictionary attacks, and phishing tactics to snatch user credentials, it’s becoming glaringly obvious that password authentication is no longer enough to keep attackers at bay.

Token-based authentication, when used in tandem with other authentication practices, creates a 2FA barrier designed to stop even the most advanced hacker in his or her tracks. Because tokens can only be gleaned from the device that produces them—whether that be a key fob or smartphone—token authorization systems are considered highly secure and effective.

But despite the many advantages associated with an authentication token platform, there is always a slim chance of risk that remains. While smartphone-based tokens are incredibly convenient to utilize, smartphones also introduce potential vulnerabilities. Tokens sent as texts are riskier because they can be intercepted during transit. As with other hardware devices, smartphones can also be lost or stolen and wind up in the grasp of those with dangerous intentions.

Token-based authentication best practices

Implementing a robust authentication strategy is critical when it comes to helping your customers protect their networks from a security breach. But for your strategy to truly be effective requires strict adherence to all relevant best practices. Here are a few key factors to keep in mind when deploying a token-based authentication strategy:

• Put the right token into play: While there are a number of web tokens in existence, none quite match the popularity and reliability of the JSON Web Token (JWT). JWT is considered an open standard (RFC 7519) for transmitting sensitive information between multiple parties. The information exchanged is digitally signed using an algorithm or public/private key pairing to ensure optimal security.
• Keep it private: A token should be treated the same way user credentials are. Educate customers on the importance of keeping their token codes private—i.e. treating them the same way they would the code to a vault full of their most valuable possessions. This mindset is particularly relevant when it comes to the signing key.
• Leverage HTTPS connections: HTTPS connections have been constructed with security protocols top of mind, leveraging encryption and security certifications designed to protect sensitive data. It’s important to use HTTPS connection vs HTTP or any other form of connection when sending tokens, as these alternative systems face higher chances of interception from an attacker.

Reaping the benefits of authentication tokens

Historically, one layer of authentication was the gold standard. But in today’s cybersecurity climate—in which hackers are more cunning than ever before—one authentication is the bare minimum. Knowledge-based authentication practices work best when implemented alongside possession-based ones to form robust 2FA systems.

This is where token authentication comes into effect. Token systems that rely on hardware to deploy computer-generated codes are a critical component of any comprehensive security strategy. These systems put 2FA to work to stop attackers before they gain access to—and wreak havoc on—the network.

On top of proactively securing customer networks, however, it’s critical that MSPs also help customers react to data breaches. In the event that a bad actor does successfully manage to gain access to a network, having data stored safely on the cloud can prevent your customers from having to fall victim to data loss or the threat of hefty ransoms.

 

To find out more about how you can protect your customers, check out Security Resouce Center