Strong Authentication: Bring-Your-Own-Token Is Number Three With A Bullet
In approaching the research for my recently published TechRadar™ on strong authentication, at first I struggled a bit with overlapping concepts and terminology (as can be seen in the lively discussion that took place over in the Security & Risk community a few months back). The research ultimately revealed that form factor matters a lot — smartcards in actual card form, for example, have some properties and use cases distinct from smart chips in other devices. So smartcards became one of the 14 categories we included.
The category that quickly became my favorite was "bring-your-own-token." BYOT is Forrester's term for the various methods (sometimes called "tokenless") that leverage the devices, applications, and communications channels users already have. The classic example is a one-time password that gets sent in an SMS message to a pre-registered phone, but we see emerging vendors doing a lot of innovation in this space. You can get a surprising amount of risk mitigation value from this lightweight approach, in which you can treat provisioning not as an expensive snail-mail package, but as a mere self-registration exercise. In a world where hard tokens and smartcards prove themselves to be, shall we say, imperfectly invulnerable, lightweightness can have a value all its own. In fact, BYOT showed up just behind these two venerable methods in the "significant success" trajectory on the TechRadar.
Here's my suspicion: BYOD has now led to BYOT. Soon enough we'll be able to combine BYOT with strong biometric bindings between users and their devices, which will help fix vulnerabilities of the type seen in the recent DoD smartcard breach while keeping biometrics "local" (and likely more privacy-protected). In that new era, true user-controllable BYOI — bring-your-own-identity — will become a more viable option in all kinds of settings, including the enterprise.
Got thoughts on strong authentication? (One thing I learned on this project: Everyone does!) I hope you'll share them in the comments below.