Assurance

[Tom Scavo <>]

> It’s the helpdesk calls and issues with user education around
> certificate enrollment and management that make me lean toward OTP
> devices.

No argument there!

> You never have to remember anything other than a four or
> five digit PIN, and the rest of the secret is provided for you by a
> key fob that you.

A single token that provides both factors has two drawbacks: 1) it introduces 
a new secret (i.e., the PIN) instead of leveraging a secret the user already 
knows, and 2) since both factors are managed by a single token, compromising 
the one makes it relatively easy to compromise the other.

Plus you need to consider the usability of such a device. In our (admittedly 
limited) experience, users who authenticate often (because of aggressive 
timeouts, e.g.) find the input of a numeric OTP very tedious, so choose your 
2FA technology carefully by considering the environment of use.

Finally, note that most of the OTP devices out there are based on OATH HOTP, 
which implies a shared key between the token and the server. If the server is 
hosted, that makes it very difficult to switch technologies in the future, 
which of course leads to vendor lock-in. Yuck.

Tom