Anyone using hard tokens/hardware-based MFA? What's your experience?

Identity & Access Management (IAM)
343 viewscircle icon1 Upvotecircle icon6 Comments
Sort by:
CTO in Education4 years ago

Not the best solution, there is nothing you can do if you forget your token at home, battery runs out after 1-2 years so you would need to order a replacement. total cost of solution is huge compared to soft tokens.
in my opinion, hard tokens will fade our soon.

CTO in Software4 years ago

Same as many others, have had the horrific experience of having to support RSA key fobs and then transitioned to a combination of Yubico's YubiKey for hardware-based MFA and Duo for Enterprise wide software-based MFA

Director in Manufacturing4 years ago

We first tried key-fob hardware tokens about 10+ years ago.  Technically worked.  Then there was a famous breach where the algorithm was compromised and we dropped them.   More recently we offered it via software installed on phone or tablet.  Our employees rejected the software on any BYOD devices.  (Long back story on that)   It seems to work reasonably well for those with Corporate owned cell phones, as long as they don't forget them at home.  That does occasionally happen, and that creates a lot of grief at IT and the Service Desk.   I personally believe 2-Factor should be with password and Biometric, either face or thumbprint.  It needs to be something you can't forget to bring with you if you are implementing this across a large and diverse workforce.  If you are doing MFA but just for your key IT people, or for very special critical employees with access to critically sensitive data, the latest Token/Hardware solutions may serve you well. 

Lightbulb on3
CISO in Banking4 years ago

Very hard to manage with lost token and synchronisation issues, plus battery life isn't that great

VP of IT in Healthcare and Biotech4 years ago

Ex user of hard token but very much like software token now with mobile apps.

Content you might like

Curious how people are dealing with fraud, and specifically tech support scams, in their organisation. Our service desk have a protocol (using personal questions and answers or escalation to a manager) when validating staff requesting password resets. This wouldn't be scalable to our wider population.  I've heard of one tech firm implementing something simple like 2 random words generated on an internally hosted website every, say, 60s that can be used as a challenge & response. Does anyone have any other smart, easy to use, bits of tech that I should consider as part of a wider on-going education and awareness campaign?  I'm assuming this is a hot topic for many of you, given the recent Quick Assist social engineering ransomware attacks.

We're mandated to allocate IT costs to the service level, but this creates friction with Identity & Access Management (IAM). The issue: non-negotiable security costs (MFA, SSO, governance) often exceed the cost of low-value services they protect (e.g., internal portals), leading to business owner pushback. How have you addressed this "Low-Value Service Paradox"? Do you keep foundational SSO/basic provisioning as corporate overhead or allocate everything? Do you use risk- or value-weighted allocation to subsidize essential, low-cost services? Who owns the final decision on allocation formulas—Finance, CIO Council, or Security? Please share specific solutions and governance models that have made IAM cost allocation fair and sustainable.

Read More Comments

Which of these leading security practices do you plan to focus on the most in 2022?

Proactively updating technology20%

Integrating security technology41%

Accelerating incident response17%

Improving the accuracy of threat detection8%

Ensuring prompt disaster recovery12%

Other; comment below

View Results

As web operations move toward edge computing frameworks and processes, do you feel prepared to sufficiently observe and protect user privacy at the edge?

We haven't thought much about it.7%

We don't feel it is our responsibility to protect user data at the edge.28%

We feel reasonably well prepared.29%

We have all the tools we need to see and control user data at the edge of our web systems in accordance with our privacy policy and international privacy regulations.30%

We can't see or control any user data between our users and the edge of our systems.1%

I don't know.1%

View Results

Anyone using Hashicorp to drive privileged Access management PW compliance by any chance? if yes, any challenges pulling data from the solution and matching secrets to privileged IDs?