Security Management Strategies for the CIORequires Free Membership to View
If you have an email system, then you can create a password-reset program by sending a message to any SMS device, assuming the users have registered their telephone numbers and the carriers they use. The issue is: How do you determine that a user's password is about to expire in order to send a reminder?
Assuming this expiration information can be captured, simply create a plain-text email containing fewer than 160 total characters in your email client, and address it to the cellular number at the carrier's email domain. The major US cellular carriers use the following format with a limit of 160 characters in the subject and message body (total): 10_digit_number@cell.carrier_domain.com.
Here are some examples of widely used wireless carrier text message email addresses:
| Carrier | Send Email to phonenumber@.... |
| Alltel | @message.alltel.com |
| Cingular/AT&T | @txt.att.net |
| Nextel | @messaging.nextel.com |
| Sprint | @messaging.sprintpcs.com |
| SunCom | @tms.suncom.com |
| T-Mobile | @tmomail.net |
| VoiceStream | @voicestream.net |
| Verizon | @vtext.com |
Remember: The signature block in the message counts toward the 160 characters.
Also, it's important to note that it's not a good idea to set up a system where a password reminder is sent as an SMS message after a series of failed login attempts, since you can't guarantee the user's system and phone are always separated. If the user loses his or her laptop bag along with the laptop, the person who finds it may be attempting to log in to the user's account. After three failed attempts, if the bag starts to ring when the user's mobile phone receives a message with a new password reset, the attacker will have no problem logging into the machine.
As a final note, SMS password reset systems provide an out-of-band communications method to contact the end user. This method is more secure than the typical in-band methods being used by most organizations; like asking a series of security questions, the answers to which may be easily found by looking on a user's Facebook or LinkedIn profile. But SMS password resets are also dependent on the user's phone being able to accept SMS messages, that the user has a good carrier signal, that the user's phone is charged and operational and that the phone is in the hands of the user and not lost along with his or her workstation. Any of these issues could derail an effective reset process.
For more information:
- Learn more about the pros and cons of using SMS for two-factor authentication in your enterprise.
- Read best practices for risk-based multifactor authenticaiton.
This was first published in January 2010
Join the conversationComment
Share
Comments
Results
Contribute to the conversation