Authentication Via Mobile Phone Enhances Login Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Mobile & Wireless
04:20 PM

Authentication Via Mobile Phone Enhances Login Security

Usernames and passwords are inadequate for strong authentication. Mobile devices are increasingly popular as a second factor.

Authentication is a basic element of software and service deployment that is commonly taken for granted. Sure, we log in to various sites and applications 20 times a day, but how many of us truly contemplate the importance of secure authentication?

Security admins, that's who. That's because they know that strong identification and authentication forms a solid layer within a larger defense-in-depth strategy. Most of us are familiar with single-factor authentication--user name and password--and adding more authentication factors is becoming more widely implemented.

Providing a user name as identification and a password as authentication assumes that knowledge of the password proves the user is who he says he is. Typically, a user registers, or is registered by someone else, and uses an assigned or self-created password. On each successive use, the user must know and use the previously stored password. The weakness in this system is that passwords can often be stolen, revealed, forgotten, or guessed.

In order to strengthen this weakness, many Internet facing systems require a second authentication factor, such as a token, digital certificate, or other out-of-band method, in addition to the password. Authentication factors are usually grouped into "something you know" (typically a password), "something you have" (for instance, a token), and "something you are" (probably a biometric). Combining factors makes breaking into an account more difficult than any single factor, unless users try to subvert these measures--for example, by writing their passwords on the back of a token.

An interesting development is SMS-based authentication codes. SMS can be used to send a one-time passcode to a phone. The advantages to using this authentication factor are that the phone is something the user already has and that the passcode travels out of band. Because the user already has a phone, the website doesn't have to purchase tokens and ship them to each new user, and the phone by definition serves as "something you have." This is important because the high cost of provisioning, replacing, revoking, and managing physical tokens has been a barrier to widespread implementation.

A pioneer in this field is PhoneFactor. The PhoneFactor system allows users to choose the authentication method they prefer, such as phone call, text message, or smartphone app, all with the same level of out-of-band security and convenience. Additional security features, such as PIN, voice recognition, and transaction verification, can be implemented for particular users or groups. For example, PhoneFactor would send an automated phone call to the user's trusted device, and the user would answer and press '#' or a button to authenticate. The image below shows such a prompt.

Another solution is Trustwave's MyIdentity. Similar to PhoneFactor, a user logs in with their existing user name and password, and the system provides a number of additional authentication options. MyIdentity can be configured to use digital certificates, SMS-based authenticator codes, voice callback, or a smartphone app to supply an additional authentication method. Trustwave MyIdentity offers a free trial.

Security professionals generally agree that a username/password combination is not serious security. Additional factors are a huge improvement, and mobile devices--even simple feature phones--can be the universal device to make authentication stronger.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll