Not a member yet? Register now and get started.

lock and key

Sign in to your account.

Account Login

Forgot your password?

Changing 2FA need not be like ripping out the plumbing!

Changing 2FA need not be like ripping out the plumbing!

I have just moved into a new house, deep in the heart of Texas.

Well, the house is new to me, but in IT terms, it is “legacy”. The plumbing is very legacy.

The dripping pipe under the kitchen sink seemed straightforward, but I could not quite get the water supply to stop, despite turning it off outside the house. I called a plumber, just in case. Very sensible of me. It took him three hours and a lot of cussing, and he is coming back on Friday to repair the dripping from his repair.

I am reminded of one of those wordy research reports that I read, from Gartner, Forrester, 451 or whoever (are they paid by the word?) – “changing 2FA from one vendor to another is like ripping out the plumbing” it said, which is why so many companies renew their legacy 2FA year after year.

Changing your legacy 2FA vendor is hard!

Security stuff  – not just 2FA -seems to be like my plumbing: very expensive to replace, and best left alone.

The 2FA model is “persistent” by design. How will they sell you those $100 tokens every two or three years, if you can just swap out the server in a couple of minutes?

My local Ford Dealer has a slogan: “Selling to Sell Again”, but they aspire to retain business by building customer loyalty in a competitive market. A proprietary token vendor has you locked in – selling to sell again, without the customer service.

These token guys want you to pay through the nose, for a commodity technology which is fast approaching 30 years of age!

Your organization may have a legacy 2FA technology based on cheap-to-make, expensive-to-buy, time-limited tokens which expire at predetermined periods, operating on proprietary and dedicated servers. Your fleet of tokens is constantly being churned as batches expire. And then there are the token failures, the lost tokens, the forgotten tokens, the laundered tokens…

Managing 2FA based on proprietary tokens is a nightmare.

The legacy business model – selling to sell tokens again and again – causes the pain. But why would you rip out the 2FA plumbing if you are going to replace it with the same model, from another legacy 2FA vendor? This inertia is at the heart of the 2FA market. It limits the adoption of 2FA at a time when advanced remote authentication is more needed than ever.

So Mi-Token was developed to invert the business model.

We are the people who don’t want to sell you tokens. We will sell you tokens, but my sales teams are not commissioned on token sales. We supply OATH-compliant tokens which do not expire. If you buy our Crystal LCD tokens, they are good until the battery dies in ~four years. They are very reliable, and low cost, so you can treat them as the secure but commodity items that they are.

Or you can buy reprogramable Yubikeys, which have no battery and last for years. You can buy OATH tokens from a third party vendor and import them, securely, into Mi-Token. You can mix and match different tokens from different vendors, including MicroLatch, the biometric token vendor. Users can have as many tokens as you wish to support – we license on a per user basis, supporting unlimited tokens per user.

When  Mi-Token started, “soft tokens” meant SMS. We support SMS, but from day one we have also offered unlimited free soft tokens on all major mobile platforms. After all – how much does it cost to make a soft token?

Our customers love Mi-Token’s self-assignment feature. Users go to a secure intranet site and deploy tokens – hard tokens, mobile soft tokens, and desktop soft tokens – to themselves. In some cases, we manage the entire fulfillment process, shipping tokens to the employee in a fully automated system.

If you visit me on the Culet Security workstation at RSA Expo, booth #709, (Feb 24-28 2014) I can show you all this and more. I will even run a “Dark Web” scan on your AD domain, to see if any of your domain addresses have been compromised. Email me and we can set up a meeting on the booth.

Back to the plumbing. With Mi-Token, there is no need to rip out the 2FA plumbing. Install Mi-Token in parallel, run it seamlessly alongside your existing 2FA product, and migrate to Mi-Token at your own pace. Mi-Token can be up and running in under an hour. With no leaks.

I look forward to hearing from you, meeting you, chatting with you.