Every security professional knows that 2 factor authentication is better than a single factor system. A fact commonly misunderstood is that not all 2 factor authentication systems provide equivalent security protection. A prevalent confusion among enterprise architects and even some security professionals is that One Time Password Tokens (OTP) and Smart Cards provide an equivalent level of security protection. After all both of these are,“something you have,”and thus equivalent. This is a gross over simplification when comparing two entirely different technologies. In fact, even something you have is not always a true statement when it comes to OTP. Let’s look at this in a bit more detail.
OTP is not ALWAYS something you have when it comes to authentication
OTP tokens rely on the fact that it is almost impossible to predict the next value of the number provided by the token. Thus a commonly made in-correct assumption that someone who is able to provide the correct token value ALWAYS possesses the token. This ignores the fact that one can simply choose to convey the value of the token over phone or SMS. We are of course assuming intentional communication here but the fact remains that it is possible to do this and if you can do this so can any man-in-the-middle. The knowledge of correct token value does not in fact ALWAYS imply possession of the token;it simply means that you know the token value at that particular time. Every decent hacker eager to earn a living understands this nuance and this has been exploited by a number of trojans which simply collect the value of the secret (password) and the token value using various man-in-the-middle techniques and resubmit these values to the target site (usually a banking site) with in the life time of the token.
Smart Cards allow establishing 2 way SSL
Compared to the tokens,smart cards allow to establish the identity of the user by using SSL certificates and private keys. This actually allows establishing a two way SSL session between the end points involved in the session. A two way SSL session requires both end points to prove their identity to each other using SSL certificates. Smart Cards store a signed digital certificate issued by a trusted certificate authority (CA) and the private key associated with that certificate on secure hardware,i.e. the chip on the smart card. In fact the microprocessor and the associated operating system on the smart card will never allow the private key to leave the smart card. Therefore,it is possible for a website to verify the identity of the user by the certificate stored on the smart card. This allows the web server to establish a two way SSL session where not only the web server has proven its identity using an SSL certificate but the browser has also proven its identity to the web server using the certificate on the smart card. It is simply not possible to compromise this system using the types of attacks which are used against tokens,where one simply needs to capture the correct value of the token for a compromise.
The additional security provided by establishing a two way SSL session,only possible using smart cards is way better than OTP tokens and unless someone call tell me on how to comprise a correctly established two way SSL session,man-in-the-middle attacks are next to impossible on a correctly configured smart card based system authentication system.
