Two-factor authentication involves using your own unique password along with a one-time password generated by a token (typically a hardware token that could be attached to a key chain). Users would type both passwords into their laptop in order to access the corporate network while on the road. After the one-time password has been used, it’s no longer valid.

But hardware tokens are expensive and easy to lose. The latest idea is to create a software token on a device the user is already carrying, such as a handheld PC or cellphone. This means the one-time password would be e-mailed to the user over that device, eliminating the need to carry around a hardware token.

Ottawa-based CryptoCard has announced that it plans to release a software token for BlackBerry handsets from Research In Motion, due out in the next release of its software, version 6.4, in the next two to three weeks.

The software token will allow remote users logging into the corporate network over a virtual private network to use their BlackBerry to generate a one-time password. The company says that combining the one-time password with a user’s unique password will make it easier to positively authenticate themselves to the corporate network. And this will work within a heterogeneous environment, including Microsoft, Apple and Linux.

“It’s easy to use, to the point [where] my grandmother can use it,” said Jason Hart, CEO of CryptoCard. Hart worked as an ethical hacker at a consulting firm for six years, and every time he ethically hacked into an organization, he would get in via a static password.

“Ninety-nine per cent of passwords are unique to an individual,” he said. “I would search you on Google, find out your interests and hobbies — very quickly I gain a profile of you as an individual and the majority of the time that password is linked to a hobby or family name.” And, 99.9 per cent of the time people will re-use the same password.

As a result, two-factor authentication is becoming an important security tool because it makes stolen credentials useless to hackers. And users don’t have to memorize a bunch of passwords, which could reduce help-desk costs associated with resetting forgotten passwords.

There’s another cost incentive: A hardware token costs more than $65, while the software-based token will cost less than half that price (though pricing has not been finalized at this point). And organizations don’t have to pay again if an employee loses their token, which is the case with hardware tokens.

CryptoCard is also offering this as a managed authentication service, where users would subscribe to the service in order to receive one-time passwords through their BlackBerry.

The company is aiming this technology at anyone who owns a BlackBerry, though it will likely find early adopters in the financial services and government sectors.

“I believe that financial institutions in the U.S. will undoubtedly go that way,” said Joe Greene, vice-president of IT security research with Toronto-based IDC Canada. “It’s another layer of security that is required and will increasingly become required as hackers and others get more sophisticated.”

And this will likely lead to a spill-over effect in Canada where, in time, financial services companies in this country may move to adopt two-factor authentication.

It is also likely that more vendors will introduce products that will turn other handheld devices and cellphones into software tokens. The market at this point in time is fairly small in Canada, said Greene, but over time two-factor authentication will catch on.

Governments are looking at this technology, as they start to offer more services online, as well as any vertical dealing with the public on a regular basis or offering online banking, such as financial institutions, telcos and hydro companies.

RIM would not comment on the release at this time.