Government // Mobile & Wireless
News
2/24/2012
04:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Authentication Via Mobile Phone Enhances Login Security

Usernames and passwords are inadequate for strong authentication. Mobile devices are increasingly popular as a second factor.

Authentication is a basic element of software and service deployment that is commonly taken for granted. Sure, we log in to various sites and applications 20 times a day, but how many of us truly contemplate the importance of secure authentication?

Security admins, that's who. That's because they know that strong identification and authentication forms a solid layer within a larger defense-in-depth strategy. Most of us are familiar with single-factor authentication--user name and password--and adding more authentication factors is becoming more widely implemented.

Providing a user name as identification and a password as authentication assumes that knowledge of the password proves the user is who he says he is. Typically, a user registers, or is registered by someone else, and uses an assigned or self-created password. On each successive use, the user must know and use the previously stored password. The weakness in this system is that passwords can often be stolen, revealed, forgotten, or guessed.

In order to strengthen this weakness, many Internet facing systems require a second authentication factor, such as a token, digital certificate, or other out-of-band method, in addition to the password. Authentication factors are usually grouped into "something you know" (typically a password), "something you have" (for instance, a token), and "something you are" (probably a biometric). Combining factors makes breaking into an account more difficult than any single factor, unless users try to subvert these measures--for example, by writing their passwords on the back of a token.

An interesting development is SMS-based authentication codes. SMS can be used to send a one-time passcode to a phone. The advantages to using this authentication factor are that the phone is something the user already has and that the passcode travels out of band. Because the user already has a phone, the website doesn't have to purchase tokens and ship them to each new user, and the phone by definition serves as "something you have." This is important because the high cost of provisioning, replacing, revoking, and managing physical tokens has been a barrier to widespread implementation.

A pioneer in this field is PhoneFactor. The PhoneFactor system allows users to choose the authentication method they prefer, such as phone call, text message, or smartphone app, all with the same level of out-of-band security and convenience. Additional security features, such as PIN, voice recognition, and transaction verification, can be implemented for particular users or groups. For example, PhoneFactor would send an automated phone call to the user's trusted device, and the user would answer and press '#' or a button to authenticate. The image below shows such a prompt.

Another solution is Trustwave's MyIdentity. Similar to PhoneFactor, a user logs in with their existing user name and password, and the system provides a number of additional authentication options. MyIdentity can be configured to use digital certificates, SMS-based authenticator codes, voice callback, or a smartphone app to supply an additional authentication method. Trustwave MyIdentity offers a free trial.

Security professionals generally agree that a username/password combination is not serious security. Additional factors are a huge improvement, and mobile devices--even simple feature phones--can be the universal device to make authentication stronger.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.