An Identity Love Story: Hardware vs Software Security Tokens

July 1, 2024

Identity Security

Cybersecurity has been growing since the first computer was created. And it is only natural that as computers and information become increasingly important in our lives we need stronger ways to secure them.

A 2024 report from CyberArk said that “93% of organizations had two or more identity-related breaches in the past year.” This is the latest in a long series of signs that the “passwords” we’re all so comfortable with have become wholly inadequate to support the vast number of digital identities we manage both personally and corporately. Because of this, cybersecurity leaders have been rapidly adopting different factors in the authentication of digital identities. These authentication factors can be grouped into 3 main categories:

  • Something that you know: “knowledge factors” are a secret the user alone (in theory) remembers, like a pin, passphrase, or a password.
  • Something that you are: “inherence factors” are something the user uniquely “is”, as revealed by a biometric scan like those for retinas, fingerprints, facial recognition, voice patterns, etc.
  • Something that you have: “possession factors” are simply something the user has, like a hardware or a software token that’s affirmed to have been distributed to only that user, and that’s tied to something they are permitted to access. This can be a digital certificate, smart card, token, look-up secrets, one-time password devices, or cryptographic devices.

Multi factor authentication (MFA) aims to use the appropriate combination of these factors when accessing devices, applications, services, data and web locations.

Do I really need more than one factor?

A study conducted by Google, New York University, and the University of California San Diego shows that implementing multi-factor authentication (MFA) in its simplest form adds major improvements to your security posture. In the study, introducing a text message (SMS) one-time password (OTP) blocked up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during the investigation.

Are all MFA options the same?

The short answer is no, they are not the same. Some factors are much stronger than others. Some are inherently more difficult to replicate or spoof based on current technology available to our adversaries. (And this “availability” is of course always changing.)

Because of this, authentication factors vary in their Authentication Assurance Level or “AAL.” AAL measures the strength of an authentication mechanism and, therefore, the confidence we can place in it. AAL2, for instance, requires “Proof of possession and control of two distinct authentication factors” through secure authentication protocols, generally software-based and using specific cryptographic techniques.

AAL3, on the other hand, requires a hardware-based authenticator that provides “verifier impersonation resistance.” The different levels of AAL can be found in this document from the National Institute of Standards and Technology (NIST), Special Publication (SP) 800-63-3 Digital Identity Guidelines.

What is a Hardware-based token?

It is a physical token that you possess to help prove your digital identity. These come in various form factors and workflows: smart cards and USB security keys inserted into target machines.

The hardware if the vessel that can deliver a variety of authentication options: Fast Identity Online (FIDO) passkeys; x.509 certificates backed by PKI (sometimes called TLS certificates or just certificate-based authentication; fobs that generate a One Time Password (OTP), and more. These tokens vary in shape and size and even the sequence or cryptographic processes with which they prove the identity.

What is a Software-based token?

As the name suggests, these are encoded tokens preinstalled on specific devices to verify your identity. Much like the hardware tokens, they also vary in how they work: push notifications; OTP; FIDO passkeys; or x.509 certificates.

One of the greatest benefits of software-based tokens is they can be embedded on any number of delivery mechanisms: on an end user’s device; on a device’s secure enclave or trusted platform module (TPM); on a dedicated authentication device like smartcards or fobs; on companion devices like mobile phones, whether corporately issued or individually owned.

Hardware vs software, which one is best?

When it comes to factors of authentication, there isn’t really a silver bullet that fits all scenarios. Each combination presents different Pros and Cons, to either users, security professionals, or identity admins and operators. This breakdown helps visualize the factors, the forms they take, and the benefits or drawbacks they present:

Hardware token and software token chart comparision

Caption: Pros and Cons of using hardware-based or software-based tokens with different authentication forms, factors and methods

Best-suited, of course, depends on the use case in mind and the user that’s trying to authenticate. These come together to determine which authentication factor is the best for your scenario.

For example, FIDO and x.509 certificates, as you can see, both provide phishing-resistant authentication options. Therefore, if security is your top concern, you should pick one of these two. Or both because full FIDO support for many platforms and devices is still incomplete.

If your user needs to log in from multiple devices and move between machines, a roaming security token that is not tied to one device is needed. This narrows down options to YubiKeys, other USB tokens, and smartcards.

If your user logs in from the same machine daily, then leveraging the Trusted Platform Module (TPM) chip of the user’s machine to issue a FIDO passkey or an x.509 certificate would be a better option due to the reduced acquisition cost. These two combinations (FIDO / x.509 certificates + hardware token/TPM) deliver, when thoughtfully combined, the highest level of assurance against phishing.

What will my MFA journey look like?

The end goal must be defined to choose the right journey. Along with NIST and CISA, we recommend that organizations move to a truly phishing-resistant passwordless authentication state. Such a state can only be achieved by having a solution that works regardless of all the variables during authentication, such as Authenticators, Operating System, Identity Provider, Application, etc.

Diagram of Axiad's plug and play ecosystem

Axiad Cloud’s plug and play ecosystem

Modern authentication architectures are complex interconnections of different technologies, from the IAM solution that provisions identities to the IGA solution that provides governance to the hardware device that provides a mobilty platform. These technologies can be obstacles to achieving the phishing-resistant goal and force reliance authentication methods like passwords that are phishing magnets, that require multiple authentication silos, or needing to use a multitude of different authenticators for different use cases.

What should be prioritized?

Every organization would have its own priorities, and it would start from that priority point. We suggest addressing the non-phishing resistant authenticators first, as that criterion has the biggest impact on an organization’s security posture, as evidenced by the tremendous increase in phishing attacks and their repeated success. But what if you can address all of these issues simultaneously?

Axiad’s CBA for IAM offering is a simplified, streamlined way to use PKI-based certificates to authenticate users at scale and by leveraging well-known, reliable, cloud-based PKI capabilities. According to NIST, PKI authentication is the method most resistant to phishing attacks. By its very nature it prevents users from giving away their certificates by mistake when they are the victims of a phishing attack. This helps organizations overcome the first obstacle. At the same time, PKI is an industry standard that is widely supported by Windows, MAC, Linux, okta, PING, Microsoft, you name it. Which means, it can be used across your different Identity Providers, merging the silos. This resolves the other obstacle of having different authenticators per use case.

That being said, once Axiad’s CBA for IAM is selected for review or any other mechanism, we can start that journey of transformation:

  • Pick the Identity provider you want to start with, ideally the one with the least impact.
  • Establish trust between that Identity Provider and the Certificate Authority issuing the certificates for authentication.
  • Issue token for a pilot batch of users.
  • Repeat the above with the rest of the Identity Provider until all your use cases are covered.
  • Expand the user population until all users are using the strong authenticators.
  • Last but not least, disable the ability to use passwords for authentication.

How do I deploy MFA solutions and manage them in my organization?

If you want a flexible environment where you deploy multiple certificates, then a reliable and easy-to-use Credential Management System is needed for managing the tokens and certificate life cycle.

Axiad Cloud is a turnkey solution that allows organizations to easily onboard, manage, and support users with different authentication factors. Axiad’s solution provides an intuitive web-based user interface, allowing users to self-enroll and manage their tokens easily. It runs in the cloud (an on-premises option is available) and provides everything you need to deliver phishing-resistant authentication quickly and thoroughly.

How can my users enroll different tokens?

At Axiad, we realize that the biggest obstacle to rolling out a new authentication method is the enrollment and lifecycle management of these hardware or software security tokens. That’s why we built an interface (Unified Portal) for the end user to see, issue, revoke and renew their tokens.

A view of the Axiad Cloud portal

Axiad Cloud Unified Portal

This portal can be combined with an optional agent, called AirLock, that checks each token’s validity and provides users with a simplified process for renewing or updating their credentials.

Axiad's Airlock message

Airlock message

Unified portal in a captive browser

Captive browser to force enrollment

Combining Forces

The Axiad customers who have seen the greatest success in deploying enterprise-wide MFA are the ones who have successfully combined hardware and software tokens. A great example of this is Carmax, the world’s largest used car supplier with over $19 Billion in revenue and over 27,000 MFA-using employees. Click here to see our webinar on how Carmax combined these technologies at scale, or request a demo to learn more about Axiad.

About the author
Tami Williams
Tami Williams
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!