While OTP authentication, for example with OTP apps, may provide sufficient protection for most enterprise use cases, verticals that require higher levels of assurance, such as e-government and e-health, may be mandated to use PKI security by law.
Industry Standards and Mandates
In PKI authentication, a private encryption key is used, which is non-transferrable when stored in a hardware token. Given its asymmetric nature, PKI is used in many parts of the world for higher assurance use cases. However, the security of OTP is also being increasingly recognized by many sectors, for example, healthcare in the US, and satisfies the DEA’s EPCS requirements when a FIPS-compliant OTP app is used.
Depending on regulations relevant to your industry, the hardware or software token you deploy may need to comply with FIPS 140-2 in North America or Common Criteria in other regions of the world.
Where a combination of physical and logical access is required, hardware tokens that support RFID-based physical access control may be preferred. Learn more, visit our
Physical and Logical Access Control solutions page.
Regardless of the two-factor authentication technology being used, security can be elevated when assessing additional contextual attributes of a login attempt, such as various device and behavior-based variables. Learn more, visit our
Context-based Authentication page.
Mitigating Diverse threat vectors
Different authentication technologies are effective in countering different threats. For a survey of authentication methods and the threats they counter, download the
Survey of Authentication Technologies White Paper