(This is a guest post by Scott Ashdown, senior product manager for Enterprise Identity at BlackBerry.)
A reader recently posted an in-depth comment to our blog, ‘5 Reasons to Ditch the VPN Fob.’ The commentator claims that the VPN Authentication solution we recently launched as an alternative to clunky, legacy hardware tokens is “not very secure” and has “several issues,” which he then goes on to list.
Naturally, I take issue with some of these claims. Here’s why.
There are certainly other solutions in the market that allow organizations to leverage smartphones as authentication tokens. However, most such solutions still rely on One Time Password (OTP) technology. OTP solutions have large operational expenses, typically running well beyond the purchase cost of the solution itself, in addition to offering a very weak user experience.
Some newer solutions – such as Yahoo’s on-demand passwords – offer an improved user experience, but rely on technologies such as SMS (text messaging) which are inherently unsecure. Others offer PKI-based authentication, but then can’t compare to the operational savings that VPN Authentication by BlackBerry offers, where provisioning happens automatically via the BES.
While the comments regarding Layer Two Tunneling Protocol (L2TP) are generally correct, they don’t apply to BlackBerry’s VPN Authentication, which is focused on authentication only. No BlackBerry component acts as a gateway of any kind in the solution, and the standard client from the VPN vendor is employed, just as with a legacy OTP solution. There are no incremental costs here.
Regarding the security of mobile phones, BlackBerry obviously focuses on making this a reality, whether for our own phones or iOS, Android, or Windows Phone devices. While no security is perfect, well-informed enterprise customers are increasingly trusting phones and tablets as endpoints for apps and data – not to mention legacy OTP authentication tokens. A modern phone-based token that is more convenient, less expensive, and less problematic is thus an obvious benefit.
Finally, BlackBerry would recommend against PC-resident authentication solutions for a number of reasons, but the most fundamental is the loss of a true second factor, as the endpoint itself is now acting as an authentication factor. Most enterprise security groups agree that this scenario is at best “one-and-a-half factor,” and thus has reduced security advantages.
Infoworld’s Galen Gruman recently lamented for all of the users trying to log into their corporate network that are still forced to fumble with a physical token and “read its code in dim lights.”
“What a pain,” he wrote, “why can’t your phone be that second factor?” VPN Authentication’s use of the ubiquitous smartphone to replace the hardware fob, continued Gruman, “makes a lot of sense to me.”
We at BlackBerry agree.