Smartphones Are the New Multifactor Tokens in IT Security
For decades, organizations have used security tokens to provide added security for sensitive IT resources. Traditionally, these key fobs were small electronic devices attached to a person’s key ring that produced a one-time password used to log in to a high-security system.
Users usually balked at the idea of carrying a bulky security token with them at all times, and IT departments often chose not to adopt the technology because of their objections.
Today, there’s a new game in town that’s bringing multifactor authentication into the mainstream: technology that allows the smartphones that users already carry to serve as a multifactor authentication device.
These solutions are broadly appealing to both end users, who no longer need to carry separate tokens, and security managers, who lower their expenses.
Why Use Multifactor Authentication?
System designers must implement controls designed to ensure that the users of a system are indeed the person they claim to be. There are three possible ways to gain assurance of a user’s identity. These include challenging the user to provide one of the following authentication factors:
- Something the user knows. This is the most common method of authentication — asking the user to provide some secret knowledge, such as a password or passphrase, that is known only to the user and the authentication system.
- Something the user is. Biometric authentication techniques measure some physical characteristic of the user. This is typically done through a fingerprint swipe, iris/retina scan or facial recognition process.
- Something the user has. The final authentication technique depends upon the user proving that he or she has physical possession of an object. This is commonly done through the use of authentication tokens. For example, many authentication tokens contain a small LCD screen that displays a changing alphanumeric sequence synchronized to a clock. Both the authentication system and token know the algorithm used to generate the sequence, and when a user provides the correct sequence for a given time, the system can be assured that the user has possession of the token.
In low-security applications, such as access to personal email, one authentication factor is typically sufficient, and in almost every case, password authentication is used. However, high-security applications, such as remote access to corporate networks, often require two authentication mechanisms from two different factors. This process, known as multifactor (or two-factor) authentication, is considered the gold standard of user authentication.
When choosing authentication factors, security administrators must balance cost, user experience and security benefits. One of the most common two-factor authentication approaches is the use of a security token (something the user has) in combination with a password (something the user knows). This, of course, is inconvenient for users, who must then carry security tokens with them.
Bringing Multifactor Authentication to the Smartphone
One solution to this lack of user acceptance is to remove the burden of carrying around an extra device by integrating multifactor authentication technology into something that users already carry: their smartphones. Remember, the goal of a “something you have” factor is only to prove that the user has a device that belongs to him or her. If a phone can be linked to a specific individual, then it can be used to satisfy this factor.
The first way that smartphones are used in multifactor authentication systems is as software replacements for hardware tokens. In this “soft token” approach, the smartphone is loaded with an application that generates authentication tokens, which are then used in the exact same manner as the alphanumeric sequences generated by a hardware token. Soft token devices fall into two different categories:
- Extensions of existing multifactor authentication systems. In this case, the smartphone application is linked to an existing token-based system. Most authentication vendors recognize that phone-based authentication is in high demand and offer phone-based alternatives. Popular products using this approach include RSA SecurID and SafeNet. Organizations that choose this approach often already have a token-based product and wish to slowly phase in a smartphone alternative.
- Independent phone-based authentication systems. These systems offer a phone-only approach and are often less expensive than traditional multifactor products. They appeal to organizations that are either deploying multifactor for the first time or are willing to deploy phone-based authentication as a replacement product. The major vendor in this space is PhoneFactor, which was recently acquired by Microsoft.
The second approach to phone-based authentication is the out-of-band method, where the phone itself does not generate the authentication sequence. In this approach, the authentication system generates a security code at the time a user attempts to authenticate and then transmits it to the user’s phone via SMS or voice call.
The benefits of this approach are that it is device-independent and does not require the installation of software on the phone. However, it will not work if the user is unable to receive an SMS or a phone call (due, perhaps, to signal coverage issues). Independent phone-based authentication systems typically offer both soft token and out-of-band capabilities in their products.
The use of smartphones as authentication devices holds great promise for security professionals for three main reasons.
First, they offer a greatly improved user experience, as users no longer need to carry a separate token and can instead authenticate using a familiar device that they carry everywhere. Second, this improved user experience facilitates the widespread adoption of multifactor authentication.
As users become more satisfied with the system, administrators will find it easier to deploy multifactor technology, enhancing the organization’s security posture. Finally, using products that users already possess lowers the total cost of the authentication system by eliminating the requirement to purchase (and maintain!) hardware tokens.
Phone-based authentication is quickly going mainstream. Popular consumer services, including Google, Dropbox and LastPass, already offer phone-based authentication to the general public. If you’re not already investigating its use in your enterprise, you might want to give it a look.