Charismathics, a Munich-based security vendor announced iEnigma, a cool identity protection iPhone application...
that turns the device into a two-factor authentication token for access to a nearby laptop or desktop computer.
Starting in April, the user will be able to purchase and download the software from the Apple Store. The application allows smartphones to securely store logon credentials, conducting the authentication protocol over the air with client-side software, which grants access to the endpoint. The user must have knowledge of the password and possession of the iPhone to be able to use the endpoint.
Two-factor authentication has long been viewed as more secure than simple passwords. The first factor is almost always something the user knows, such as a password or PIN number. The second factor is either something the user has, such as a security token or possession of a secret key, or something the user is, such as a biometric factor, like fingerprints, speech recognition, or typing rhythms. The combination of two factors protects networks against intruders with stolen passwords or lost key cards masquerading as legitimate users.
Two-factor authentication does have its drawbacks in user acceptance and operational costs. Users don't like having to carry security tokens or suffer the indignity of being fingerprinted when signing on to the network. Organizations don't like the extra costs of tokens, servers and operational expenses for IT service desk support. While turning a cell phone into a security token was first done at least 10 years ago, Charismathics has some interesting concepts in its approach:
- Self-service reduces IT overhead. End users are responsible for online purchase and installation of the software. IT only has to verify presence of the software and be prepared for help desk calls.
- User acceptance is increased since smartphones are becoming ubiquitous. Security measures that are not invasive to the end user are more readily accepted. Embedding two-factor authentication features into a mobile phone means the user does not have to drag around a separate security device. Other vendors feature soft tokens that can utilize a laptop as the second "something you have" factor, or USB sticks that travel with the laptop.
- Wireless connectivity reduces the cost of readers. iEnigma uses WiFi communications to talk with the endpoint software. Technology that uses WiFi or Bluetooth not only eliminates the need for extra devices such as fingerprint scanners or smartcard readers, but is also convenient for end users. If there are car keys enabled with Bluetooth where the user does not have to fumble through pockets or purses to drive the car, then such proximity capability may become more common with computers.
Smartphones are essentially portable computers with secure storage and over-the-air communications. It can be challenging for IT to standardize on a two-factor authentication technique for employees, contractors, suppliers and customers. In such cases, it may be practical to offer a small variety of approaches such as cell phones for the sales force, hard tokens for home PCs, and keystroke biometrics for browser-based users. Two-factor authentication is a good thing, especially if IT can avoid the one size fits all approach.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.