NW_20010328_en_ZDNetAsia, 3-28-01_ “Tokens_ An additional level of secure access”

Identification and authentication are two magic words when it comes to security. Letting an authorized user in, while keeping unauthorized people out, sounds easier than it is. If I were to meet you on the street, I'd be able to see you, do business with you, and if we had done business before, most likely I would recognize you - by face, voice, or some kind of physical mannerism or body language.

Today's e-business is being transacted over wired and wireless mediums, where faces blur into bytes, and more often than not, identification is a password entered into a text field.

One of the first, and more important steps that one encounters upon using a remote secure system, is the identification and authentication process: Who are you, and can you prove it?

Identification/authentication does two things (and it better do them well): It allows the right user in; and it keeps everyone else out. Or at least that's the idea. Doing either one of the two is easy - either let everyone in, or keep everyone out. Doing both well is harder.

Traditionally, identification has boiled down to one of three things: something you know, something you are, or something you have. Technologically speaking, these translate to:
· Passwords
· Biometrics
· Tokens

Passwords are commonly known and used in most day-to-day issues. Biometrics refer to the use of an individual's bio-data to authenticate. Fingerprints, retina scans, and voice-print recognition are some of the more common methods employed as checks in identity.

Both passwords and biometrics have shortcomings that are fast becoming apparent. Having a password means having to remember it, and usually they're compromised because they are hard to remember and as a result, written down. Biometrics get more expensive as they get more accurate, though they are fast becoming more popular.

Access tokens fall under the third authentication method and authenticate based on what is in your possession. Tokens can be used to provide a return code to access a system that issues a challenge code. Tokens in themselves are not infallible, but provide an extra layer of security. A security token falling into the hands of someone else would still function as it was programmed to. The best employment of authentication would be to use a combination of two or more of the three checks.

One example would be VASCO's Digipass security token. The company recently tied up with OCBC Bank in Singapore to work their authentication and digital signature solutions into the existing e-transactions system of the bank.

The Digipass resembles a small pocket calculator that calculates dynamic passwords, also called one-time passwords (OTP). Upon the entering of a personal identification number (PIN) for the Digipass, the token can calculate an OTP for use on the remote system that is being accessed.

The calculations are based on the the Data Encryption Standard (DES) algorithmn, which applies a randomly chosen 56-bit key to every 64-bit block of data. This means that the users must not only know their account details and PIN number, but also be in possession of the Digipass, since both sender and receiver systems must know the encryption key in order to authenticate.

Using the digipass, it is also possible to calculate digital signatures, also known as electronic signatures, to authenticate electronic transactions and guarantee the integrity of the message by ensuring that it hasn't been tampered with. This type of security may seem excessive to some, but is really the combination of a few measures being implemented into a system that lets the users carry a lightweight device allowing for secure authentication and identification.

The cryptographic calculations are handled by the device, leaving the user with minimal fuss and providing adequate security for large electronic transactions. One pays the small price of carrying around a device the size of a pocket calculator, in order to be able to perform secure electronic transactions.

Even if the Digipass unit falls into someone else's hands, a PIN number is still required to access and activate it. If a user should leave the authenticating password written down, or left in the cache of a terminal after a transaction, it would be of no use to anyone else, since it's only valid once.

From the enterprise's point of view, the Digipass implements security at what traditionally has been the weakest link - the customer. The customer really just wants to be able to do business securely, and really doesn't care about cryptography, or any other back-end system.

A portable security token like the Digipass adds another layer of security that is not only scalable for the enterprise or bank, but convenient for their customer.

VASCO recently released a new model (Digipass 800) to the Digipass family, allowing the use of smart cards in conjunction with the token, to provide even more functionality with e-banking or secure e-commerce transactions.