Root Causes 82: The Death of the Hard Token

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So, today, we are going to talk about tokens.

• 

  Jason Soroko

  Yeah, good old-fashioned hard tokens meant to do authentication.

• 

  Tim Callan

  Old-fashioned is right. Hard tokens go back- gee, how far? More than 20 years?

• 

  Jason Soroko

  Yeah, often known as RSA tokens because that's where they were usually sourced from for many years. Geez, I actually cannot recall. That's how far back it goes.

• 

  Tim Callan

  Yeah. They go back way, way, way far back. And at the time it was super cutting-edge technology, right? It let you, you know, it was PKI in a real- world use case but things have evolved a lot since then.

• 

  Jason Soroko

  Oh, have they ever. Absolutely. The second factor authentication is really what we're talking about here and it was one form factor of it for a very long time and it still exists. The idea being that you would set up your application that you're logging into, enter a username and password, you would then be challenged for a one-time passcode and that passcode would be synchronized with your hard token, you would read it off, you type it into your computer and then you would complete your authentication.

• 

  Tim Callan

  Yeah, and for our more modern listeners, this might sound a lot like the SMS-based two-factor authentication that we do so often. But of course, that passcode is being generated by this little piece of hardware that I own, that I hold in my hand, that's completely self-contained locally.

• 

  Jason Soroko

  Exactly right. There's a lot of forums now of what we call soft tokens, which are typically based off of your smartphone. There's a lot of popular apps out there. Google Authenticator. I know Microsoft has one as well and it works on a very similar principle where a seed file is actually provided to your either your soft token and a seed also is present within the hard token and it's essentially the seed that combined with an interesting little bit of cleverness is able to synchronize the authentication mechanism with the token itself so that only the token and the authentication mechanism know what that one-time passcode would be at any given moment.

• 

  Tim Callan

  Yeah, so these have been around for a long time. I mean, it's fundamentally like, that's a fundamentally secure paradigm, right? I mean when you when you talk it through and certainly, I've been familiar with tokens for a long time, it feels like that works, right? Like I get a number that is not really guessable and is unique to whoever holds the token.

• 

  Jason Soroko

  Yeah, in theory.

• 

  Tim Callan

  Yeah. So, but - - so but there's trouble with tokens. So, what's the trouble?

• 

  Jason Soroko

  I think one of the most troublesome parts of the tokens is the form factor. So, the most troublesome thing about the hard token specifically, is the fact that typically the hard token is tied to a single application.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  And that might have been fine back in the day when they were first utilized where you might only have one very critical application that was using this. Now we have instances where there's, you know, half dozen to a dozen or more and that's gonna make for a big chunky keychain that you have to carry around with you.

• 

  Tim Callan

  Yeah, and these things aren’t tiny, you know, a hard token - - it's been a long time since I've had to use a hard token but you know, it's probably the same volume as your index finger, right? It's not a trivial - - it's not a teensy little thing.

• 

  Jason Soroko

  Well, you think about, Tim, they have to have a battery in them that lasts an awfully long time.

• 

  Tim Callan

  Yeah. And they have to have a display and there's some calculation that's going on in there so there's some amount of compute in there and yeah, it's just sort of it limits the how far you can really shrink it down.

• 

  Jason Soroko

  Absolutely right. So, they're not small and if you have to have more than one - - I mean even having one is a bit of a pain. In fact, I think that's one of the reasons why the world shifted so hard towards soft tokens because most soft token apps can handle more than one application.

• 

  Tim Callan

  Right. Well, and also, I don't have a new physical thing, right? I'm carrying my phone anyway. So, I turn it into my token.

• 

  Jason Soroko

  Right, so Tim, just in saying that it might make you wonder why do they even still exist?

• 

  Tim Callan

  Yeah.

• 

  Jason Soroko

  It's, to me, it's somebody making money somewhere. I think when something is so absurd, it's almost like it - - everything in the world that's a bit off, either comes down to corruption or incompetence and I think in this case, it really just comes down to somebody making a buck and has convinced the user that they have to have it.

• 

  Tim Callan

  So, there's a big - - I think there's a big entrenchment factor in the world of tokens. So, they tend to be used by these very large bureaucratic organizations. Think about, you know, companies with 50,000 or more employees or large government institutions and these, you know, it's very slow to change course for these, you know, these aircraft carriers. And so, you know, they provision these tokens, it's part of their process, it's built into everything, there's people whose entire job is doing this day in/day out and they have nothing else that they do and those are the circumstances where effecting change is particularly difficult.

• 

  Jason Soroko

  We live in times when we've seen so many attacks now over the X number of years as well. We've even seen successful attacks against soft tokens. One of the things about hard tokens - - I think there's also - - I think what you just said, this entrenchment has to do with this mindset that this thing that you've been holding in your hand, this physical thing must - - it just must have, you know, magical powers to be so secure because you can hold it in your hand and it says security on it or, you know, in big red letters or whatever it is that that convinces you that this thing is secure and yet, I think a lot of people might forget, first of all, there have been problems with seed files being, you know, being distributed. That’s an old problem but, you know, a problem that still exists to this day is, if you type that one-time passcode into say, your browser, or whatever it is you or whatever application you happen to be logging into.

• 

  Tim Callan

  Yep.

• 

  Jason Soroko

  Especially if it's a browser, the fact that key logging exists still to this day and probably won't be going away anytime soon, those keys can be intercepted or as soon as you hit the post button in your browser there might be a man in the middle attack going on that will intercept that one-time passcode and therefore, intercept that transaction that you're trying to perform, whether it's an authentication transaction, or a heck it might even be a financial transaction, whatever it is that you're trying to complete with this one-time passcode.

• 

  Tim Callan

  Yeah. So, okay, so I'm a high value target and I've been issued a token for my high value application, and someone manages to get a keylogger onto my system. I whip out my token. I get my six-digit code. I put my six-digit code in, that keylogger immediately spins up another process on another computer somewhere where it too is logging in using that six-digit code. Now these things usually last for, I'm gonna say 30 seconds before they renew, right? 30 seconds, a minute, something in that ballpark. So, that gives you an awful lot of time. Right? And then once you're logged in, you're logged in.

• 

  Jason Soroko

  Absolutely. And so, this idea of a second factor of authentication beyond username and password, well, it's true only in the sense that you're holding in your hand. It's not the computer. The problem is you're giving away the secret back to the computer that may be infected with a virus.

• 

  Tim Callan

  Right. So, there's two things. So first of all, soft tokens themselves are - - all tokens have the vulnerability that at the end of the day this number is being transmitted by a human through an interface and all the weaknesses of that interface apply. In addition to that, the soft tokens are additionally vulnerable because that's a piece of software that's sitting on your BYOD device and that device itself could have vulnerabilities and that, too, is another area where that this can be attacked.

• 

  Jason Soroko

  And those problems have not gone away. Certainly, I think that the lessons have been learned around seed files that absolutely, you know, I think the word got out that there can be big problems with that. But, on the other hand, this idea of a second factor authentication, I don't know, I think to people who know how to attack a high value target with a keylogger that second factor authentication, I think the bad guy is really hoping you actually believe that.

• 

  Tim Callan

  Yeah. And so that's - - and you said, these factors haven't gone away. I'm not sure they can go away. They seem to be built into the paradigm at a fundamental level. Like these don't strike me as solvable problems.

• 

  Jason Soroko

  No, absolutely. And so, one of the - - when you couple that with the fact that the hard token is such a miserable form factor to begin with.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  Then, you know, let me put it this way, Tim, you know, everything has it's - - all security - - we could sit here as security professionals and say well, you have to have the strongest all the time. That's not even what we're talking about. What we're talking about here is, you know, SMS as a second factor was deprecated by NIST. I was saying that for four years before NIST actually came out admitted it. It never should have been on their list anyway because there's just so many problems with SMS and yet so many security professionals architected it into their authentication scheme.

• 

  Tim Callan

  Oh, yeah, you still see it all the time.

• 

  Jason Soroko

  And we still, Tim, live in a world, where passwords alone, using your passwords alone without a second factor is still the majority of authentication.

• 

  Tim Callan

  Yeah.

• 

  Jason Soroko

  Which is a scary, scary thought. It's such a golden age to be a bad guy.

• 

  Tim Callan

  It is and so, you know, to some degree, you know, when you start to say, well, username and password, well, aren’t you better off having a hardware token than just username and password? Arguably, yes, but you started to get in some of the disadvantages, right. We've hit a couple. One is we have talked about some of the security flaws. Another one that you just mentioned, is it's a terrible user experience. Like they're, they're miserable. But then they're expensive, right? You've got to buy these things and provision them and, you know, drop them, you know, ship them to people in all different parts of the world. They can be lost. Then you got replacements, you've got people that are down while they're lost, you've got a certain amount of anxiety that I have as the user because I have this thing that's the keys to the kingdom that I walk around with and what if I did lose it? There inflexible? I think we touched on that already. I've got this one item; it does one thing and that's all it does and I can't use it for something else. I can't say, oh, I have another critical application, I'm going to use it for that too. Right? It doesn't work that way.

• 

  Jason Soroko

  So, Tim, with everything you just said, let's say you were a CIO, Director of IT, a CSO right now, right being given the extremely difficult task of having to provision a bunch of brand-new remote users. This is common as we speak because we're living in the time of the COVID-19 virus, a lot of people are pushing their workforces to be remote. Now, let's say you have a number of choices of multifactor authentication in front of you and the company is willing to invest in some form of MFA at the moment. Are you going to choose a form of multifactor authentication where you're going to somehow have to get a hard token manufactured, shipped to you, personalized, shipped to individual users? I mean, this would be the last MFA form factor that I would choose in any scenario.

• 

  Tim Callan

  Yeah, well, and especially since it involves a physical supply chain. Like this isn't a good time for physical supply chains. So, that makes it even worse. I mean software to some degree, the software guys, as long as they can, you know, stick more servers in the rack or buy more public cloud, then they can expand, right? And in principle, they can expand very quickly, but, you know, if these things need to be made, probably in someplace like Taiwan and put on boats, like, wow.

• 

  Jason Soroko

  Hard tokens need to die. That's, look - - let me play the other side of the story for a moment. Who would want to - - who might have to keep them for the time being? I would say if you have a legacy app, you know, some kind of technical debt that's hard core to use this thing. Well, if that's the case, I salute you and hopefully one day you can move on.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  Number two, I do know that there were a number of jurisdictions in the world where not everybody's carrying a smartphone and you might want to issue these things for them to be able to log into a, you know, website or something in a secure - -

• 

  Tim Callan

  Yeah, but that's got to be getting less and less. I mean - -

• 

  Jason Soroko

  You know what, Tim?

• 

  Tim Callan

  Smartphones - - smartphones there are more smartphones, I think, than people.

• 

  Jason Soroko

  There are in my house, that's for sure. Well, what I can tell you is both of those arguments for keeping hard tokens around.

• 

  Tim Callan

  Yeah.

• 

  Jason Soroko

  They exist and therefore hard tokens will exist, I just, I don't see - - I mean, call in, you know, let's get you on the podcast if you have any other reason to use a hard token. I can’t see any.

• 

  Tim Callan

  Yeah, it's hard to imagine somebody who's dealing with this fresh, right, a brand-new implementation going the hard token route, right? They might look into it because they remember I used to have hard tokens back in the day, right? Yeah, I remember when I was a young whippersnapper and I had that RSA fob in my pocket. And, you know, well, let's look into that and see where they've gone. You can imagine that part of it happening. But, at the end of the day, there are much better solutions and I would think that a, you know, a fresh implementation that did not require this because it was already built in, like you said, because there was engineering debt, that person would probably go a different route.

• 

  Jason Soroko

  Exactly right, Tim, but you know what, I think that's it. That really concludes the thought about tokens and hard tokens specifically. You know, I think we're allowed an opinion, and that's our opinion.

• 

  Tim Callan

  That’s our opinion. So that's good, you know, it's a topic that's come up of late because people are trying to figure out how to get their workforces working remotely so, it was a good thing for us to cover and explain. And I think we've done that. So, thank you, Jay.

• 

  Jason Soroko

  Thank you, Tim.

• 

  Tim Callan

  And thank you, Listeners. As always, this has been Root Causes.