October 29, 2010

Two-Factor Authentication Using Your Cell Phone

Factors of Authentication

In the world of Information Security, Three factors (or  types) of authentication are readily accepted: Something You know, Something You Have, Something You Are.  Two-factor authentication refers to an authentication system in which you are required to authenticate using at least two different “factors” before being granted access.  For example: something you know + something you have OR something you have + something you are.

Something you know: The password

Most web applications rely on their user name or email address and password for authentication; representing a single factor of authentication.This has been the primarily method for application authentication for the last 10 years. Users can easily remember their email address and password and thus it is a very convenient and most often used method for single factor authentication.

Something you have: The Cell Phone

In exceptionally high security organization employees carry a small device on their key chain with numbers on it usually referred to as a “hardware token”. Hardware tokens function by displaying an OTP or  a “One Time Passcode” that is synced to a seed algorithm on the server. As time elapses, the token changes thus requiring physical possession of the token to reliably know the correct OTP. OTP devices are accepted proof of” a second factor or authentication: Something you have.”

The upside of using hardware OTP devices is that it proves a relatively high assurance; largely due to the fact that duping them would be an enormously difficult effort.

The downside to hardware tokens is the cost to maintain the system. Tokens cost money to by from the vendor. Tokens break. Tokens get lost. Tokens have to be distributed. Tokens have to be maintained. Everyone who has ever implemented a hardware token authentication system can tell you that there is real and significant cost associated with Token management especially around labor intensive activities like inventory and distribution.

Enter a new option: The cell phone. These days there is almost nothing more common than a cell phone in the enterprise: everyone has one.  By using the cell phone as the device by which the OTP is sent to, we can eliminates the need for a separate “hardware token’. Companies can focus on policies, and eliminate device management activities.

SAAS Example: Using Google Forms

Google offers some tools that can be used to provide two factor authentication to web applications using a cell phone.

Googles tools work something like this:

  1. User goes to his web based application that will present a standard login page.
  2. He enters his email address and password.
  3. The authentication server would check to make sure that his email address and password match what’s in the database.
  4. Then the authentication server will generate a value and send it to the user’s cell phone.
  5. Once the user receives the message he is prompted with a verification code web page.
  6. Once the user has entered the value, the authentication server will check to make sure that it was the same unique code that it sent. If the values match, the user is granted access to the web application.

Mobile OTP:

For enterprise deployments, consider using MobileOTP. Open source, and easy to setup, administrators can integrated the solution across network and system devices using the radius protocol. MobileOTP can be configured to take advantage of email, text, and even telephony as delivery mechanisms for the OTP token to virtually any device – include cell phones.