Multi-factor authentication (MFA) is increasingly becoming the standard for enhancing security, complying with regulatory requirements, and addressing operational constraints. Various authentication methods exist, but physical USB tokens are regaining popularity in businesses due to evolving cyber threats. Token Management Systems (TMS) streamline the activation, administration, and lifecycle management of these tokens, ensuring secure access governance for organizations’ information systems.
The widespread use of multi-factor authentication (MFA)
Multi-factor authentication (MFA) has become increasingly widespread in recent years to enhance access security, comply with regulations and standards (such as NIS2, DORA, eIDAS, and RGS), and mitigate challenges related to password management, including frequent resets and compromised accounts.
Its principle is based on the verification of at least two proofs of the user’s identity, including:
- Something the user knows (e.g., password, PIN code, security question).
- Something inherent to the user (e.g., fingerprint, facial recognition).
- Something the user possesses (e.g., hardware token, authentication app).
USB Multi-factor authentication: the comeback of USB tokens
Multi-factor authentication (MFA) can be implemented in various ways, each with its own advantages and limitations in terms of practicality and security.
For example, time-based one-time passwords (TOTP) sent by email or SMS are not encrypted and can be intercepted during a Man-in-the-Middle (MitM) attack, thus enabling fraudulent access to an information system or during online purchases. In biometrics, the main threat comes from artificial intelligence capable of generating increasingly realistic deepfakes for facial recognition. Additionally, if biometric data is compromised, it cannot be changed, a stolen fingerprint remains permanently exposed.
In this context, authentication based on elements possessed by the user offers better security.
- Software tokens on mobile phones (Google Authenticator, Microsoft Authenticator, etc.) are efficient but, in most companies, not all employees have a professional device. Their use on a personal device presents risks or may be refused by staff representatives.
- Physical tokens, also known as secure removable hardware, include smart cards and USB keys. USB tokens such as Yubikey, SafeNet or Neowave are experiencing a renewed interest in business because they do not require a card reader and offer the best compromise between security, cost and ease of use. However, their use requires rigorous governance to limit security risks.
Adoption of standards for unified key management
With USB token authentication, the user’s password can no longer be stolen—because there is no password. The secret remains inaccessible, as it is securely stored on a USB key and protected by a PIN code. Authentication relies on the security of the underlying protocol.
Two major secure protocols dominate the market:
- FIDO2, which includes the WebAuthn API and CTAP, is based on strong authentication using asymmetric cryptographic keys stored on secure hardware (such as USB keys). It enables organizations to implement passwordless access policies efficiently, as users can independently enroll and secure their access.
- PIV (Personal Identity Verification) is an authentication standard based on a smart card containing X.509 certificates. This protocol is particularly suitable for government agencies, administrations, enterprises, and sectors requiring a high level of security, as well as for privileged accounts. PIV-compatible USB tokens now store X.509 certificates in a virtual smart card, eliminating the need for physical card readers.
The role of Token Management System (TMS)
While authentication via USB tokens enhances security, it also introduces new challenges, particularly in managing their full lifecycle. This is where the Token Management System (TMS) comes in, a software solution designed to streamline token administration. Its key features include:
- Centralized management of all USB authentication tokens (e.g., YubiKey, SafeNet, Neowave), regardless of the authentication protocol (FIDO2 or PIV) or identity provider (Microsoft Active Directory / Entra ID, PingID, Ilex, OKTA, etc.).
- A self-enrollment portal that allows users to activate their tokens independently, reducing the administration tasks and eliminating the need for in-person activation.
- Centralized FIDO2 self-enrollment for users directly within the identity management system (e.g., Microsoft Active Directory / Entra ID, PingID, OKTA, etc.).
- Application of security policies, such as PIN code requirements (minimum length, complexity, and expiration rules).
- Automated remote management, including activation, revocation, and blocking of tokens when an employee leaves the company or if a token is compromised.
- USB token inventory and status reporting (active, deactivated, or blocked), particularly for security audits.
A Token Management System (TMS) enables organizations to move from manual keys management to the fully automated administration of thousands or even millions of tokens in a secure and efficient manner.
