For decades, organizations have used security tokens to provide added security for sensitive IT resources. Traditionally, these key fobs were small electronic devices attached to a person’s key ring that produced a one-time password used to log in to a high-security system.
Users usually balked at the idea of carrying a bulky security token with them at all times, and IT departments often chose not to adopt the technology because of their objections.
Today, there’s a new game in town that’s bringing multifactor authentication into the mainstream: technology that allows the smartphones that users already carry to serve as a multifactor authentication device.
These solutions are broadly appealing to both end users, who no longer need to carry separate tokens, and security managers, who lower their expenses.
System designers must implement controls designed to ensure that the users of a system are indeed the person they claim to be. There are three possible ways to gain assurance of a user’s identity. These include challenging the user to provide one of the following authentication factors:
In low-security applications, such as access to personal email, one authentication factor is typically sufficient, and in almost every case, password authentication is used. However, high-security applications, such as remote access to corporate networks, often require two authentication mechanisms from two different factors. This process, known as multifactor (or two-factor) authentication, is considered the gold standard of user authentication.
When choosing authentication factors, security administrators must balance cost, user experience and security benefits. One of the most common two-factor authentication approaches is the use of a security token (something the user has) in combination with a password (something the user knows). This, of course, is inconvenient for users, who must then carry security tokens with them.
One solution to this lack of user acceptance is to remove the burden of carrying around an extra device by integrating multifactor authentication technology into something that users already carry: their smartphones. Remember, the goal of a “something you have” factor is only to prove that the user has a device that belongs to him or her. If a phone can be linked to a specific individual, then it can be used to satisfy this factor.
The first way that smartphones are used in multifactor authentication systems is as software replacements for hardware tokens. In this “soft token” approach, the smartphone is loaded with an application that generates authentication tokens, which are then used in the exact same manner as the alphanumeric sequences generated by a hardware token. Soft token devices fall into two different categories:
The second approach to phone-based authentication is the out-of-band method, where the phone itself does not generate the authentication sequence. In this approach, the authentication system generates a security code at the time a user attempts to authenticate and then transmits it to the user’s phone via SMS or voice call.
The benefits of this approach are that it is device-independent and does not require the installation of software on the phone. However, it will not work if the user is unable to receive an SMS or a phone call (due, perhaps, to signal coverage issues). Independent phone-based authentication systems typically offer both soft token and out-of-band capabilities in their products.
The use of smartphones as authentication devices holds great promise for security professionals for three main reasons.
First, they offer a greatly improved user experience, as users no longer need to carry a separate token and can instead authenticate using a familiar device that they carry everywhere. Second, this improved user experience facilitates the widespread adoption of multifactor authentication.
As users become more satisfied with the system, administrators will find it easier to deploy multifactor technology, enhancing the organization’s security posture. Finally, using products that users already possess lowers the total cost of the authentication system by eliminating the requirement to purchase (and maintain!) hardware tokens.
Phone-based authentication is quickly going mainstream. Popular consumer services, including Google, Dropbox and LastPass, already offer phone-based authentication to the general public. If you’re not already investigating its use in your enterprise, you might want to give it a look.