A lock is easily opened when the owner gives the key to somebody else. This is true for gaining access to online accounts with passwords as well as second factor authentication tokens and smart cards. A person can willfully share their credentials for a number of reasons. A husband may share password and token with his wife because she manages the family’s medical information. Users in a remote site or branch store may share passwords and access cards because they need to be able to serve as back-up to each other in case of absence. A user may share passwords or tokens simply because the process of setting up a second account is perceived to be too much trouble or because accounts are not designed with the permission mechanisms that allow users to have access to other accounts or information when there are legitimate reasons to do so. Inappropriate account access through sharing of passwords and tokens is considered token fraud as it is willful compromise to the proper use of the token. The act of token fraud may increase the likelihood of identity fraud, but it is fundamentally different from identity fraud, and different means of risk mitigation are needed to counter the fraud if it is a concern for the enterprise.

When protecting private or sensitive information, the person to whom the token or credentials are issued has a vested interest in maintaining security of that information. Privacy becomes the mutually implied benefit in protecting the credentials and minimizes incentive for sharing those credentials. For example, in the case of the spouses sharing passwords, the willful compromise still establishes non-repudiation of the transaction in the eyes of the owner of the credentials, as he is the one who shared them. While this is against the rules, and makes true tracking of non-repudiation difficult, the user sees it as only affording access to his own information and so provides access to someone he trusts. The user of the credential is still invested in the risk of the transaction. If a user shares his credentials with a family member for convenience, he accepts that risk.  Such a user would be highly unlikely to share credentials with a stranger or even an acquaintance. In another example, when users share tokens in a work environment, they often do so because they need that access to do their jobs and either do not know how to give appropriate permissions to others or are using systems that do not have configurable permission structures.

The significance of token fraud rises when protecting the information of numerous individuals or controlling access to benefits. Examples of this are government payment programs, work eligibility systems, or insurance payment systems. In these situations, someone may willfully compromise the system because they perceive no personal cost to allowing others to use their credentials or may even derive a benefit from doing so. The authorized user may not lose benefits and the improper user gains a benefit – gets services paid for, gets access to work eligibility, etc – simply by sharing the credential. In some cases, the authorized user may also benefit from the improper use; for example when a work-at-home employee asks a friend or family member to work for them for brief periods while they take care of personal errands. The chance of being caught or of misuse of the data may seem remote to the user, but it is far more significant to the enterprise.

Enterprises need to identify the causes of token fraud by their users. If it is appropriate to allow users to grant each other account access, e.g., for family account management or emergency access, they need to build permission structures that are easy and flexible so that users do not need to commit token fraud in order to do their jobs or manage their lives. Once account sharing permissions have been implemented, enterprise policies need to include clearly-stated penalties and mitigation processes for willful credential compromise. Industry best practices show that the use of a layered system, with different channels of delivery or types of authentications, helps to mitigate willful compromise. The authentication process should be straightforward enough that it is not cumbersome for daily use by authorized users, and yet not so easy that simply handing over a hard token allows an unauthorized user access. For example, using SMS to send a one-time passcode to a cell phone is still a simple process for the authorized user, but it is less likely that a user would leave behind a cell phone for another person to receive the passcode.

When token fraud has high risk for the enterprise, another strong authentication technique that helps eliminate token compromise is biometric authentication. Voice Biometrics is the process of comparing a voice sample with a stored, digital voice model, or voiceprint, for the purposes of establishing or verifying the user’s identity. To make it most effective for authentication, voice biometrics is typically conducted in a one-to-one comparison of the user’s spoken response with the enrolled voiceprint that was recalled for comparison purposes through some other means. Alternatively, some enterprises may elect to implement a one-to-many comparison where the sample taken at authentication is compared to all stored voiceprints; while less cumbersome for the user, one-to-many is less accurate and more processor intensive for large user populations. Other techniques, such as fingerprint recognition, require the user to have a scanning device which may make the process too expensive for the enterprise and too cumbersome for the user.

In order to maintain strong security and non-repudiation of transactions, enterprises need to create and enforce access controls that allow users to perform appropriate transactions without the need to share credentials. Once these access controls are established, strong authentication ensures that these controls are respected and enforced.