Recently in Cybercrime Category

PhoneFactor Builds on Strong Authentication Platform with SMS

| 0 Comments | 0 TrackBacks
Vendor Claims to Be First Offering Text-Based Out-of-Band Authentication

PhoneFactor today announced it is adding Short Messaging Service (SMS) to its two-factor authentication platform. It's one of several announcements and demonstrations of strong authentication pervasive at this year's RSA Conference.

With PhoneFactor's original authentication platform, users enter a user name and password into an application. The PhoneFactor system then places a call to the user's telephone; authentication is achieved when the user answers. A user may also enter a PIN for another layer of security.

With its new SMS-based platform, PhoneFactor sends a one-time pass code to the user's mobile phone. The user authenticates in one of several ways, depending on the security requirements: texting back the code; entering the code into the application; entering a PIN plus the code. For very sensitive applications, PhoneFactor also offers voice biometrics.

In a pre-RSA briefing with Security Squared, PhoneFactor CTO Steve Dispensa emphasized the authentication in all cases occurs "out of band," that is, on a second channel. "With out-of-band, compromising the computer isn't enough to cause problems," he said. A cybercrook may have obtained a user's id and password--but is unlikely to have the user's telephone or mobile device, which is a different device on a different network.

Even if the cell phone is lost, Dispensa pointed out users generally are quick to notice that and take steps to get a new one. That's in contrast the time it might take to notice a rarely used keyfob or other token is missing.

The SMS-based platform could help enterprises address the issue of SQL injections and man-in-the-middle attacks, in which bad guys take over an legitimately authenticated Web or VPN session. In those cases, Dispensa said, "The only thing that doesn't look right is the transaction itself."

In these situations, a text message could be sent that includes details of the transaction, such as a funds transfer amount and destination, and prompts the user to indicate whether the transaction should be permitted. The application owner can even use a fraud alert code the user can punch in immediately to signal trouble..

Dispensa noted the flexibility of PhoneFactor's authentication platforms to integrate with a variety of applications and support various use cases, all without custom programming. The platform integrates with Active Directory or an LDAP-based directory, synchronizing its user accounts with those in the enterprise directory. So it integrates with enterprise Single Sign On solutions and can replace other one-time token devices.

PhoneFactor's platforms could also be used as a second authentication device at physical access points, Dispensa said, such as providing a code needed to enter a restricted area.

For users turning to smart phones to transact web business, as long as the voice and data channel are separate, the out-of-band security separation holds, he said.

Strong authentication is one of the themes at RSA this year, with a number of companies presenting new or enhanced solutions for helping enterprises ensure the physical person signing into an earthbound or cloud-based application is who they think it is. Security Squared will especially be looking at how these solutions intersect with and enhance other security systems.


Please sign up for our free newsletter (we keep all personal data private) to get all of Security Squared's unique coverage of the natural intersection of physical and logical security solutions.

Recently in Cybercrime Category