Problem solve Get help with specific problems with your technologies, process and projects.

SMS two-factor authentication for electronic identity verification

Tokens are no longer the only choice when it comes to OTPs and electronic identity verification. Learn about new two-factor authentication options involving SMS and mobile phones.

The tokens are costly for large populations of users and hard to manage for users outside the organization, like...

customers and contract workers. This is because in order to use these devices, companies are required to first purchase the hardware tokens, put in place processes for provisioning them, educate users on their physical protection and usage, and manage the problem of careless users losing their devices.

But recently there has been an innovation in two-factor authentication that alleviates these problems: tokenless two-factor authentication (T2FA). T2FA doesn't use a dedicated hardware device to deliver one-time passcodes, but instead uses an alternative out-of-band device that the user owns and is already familiar with; it could be the user's standard mobile phone, home phone, fax machine, netbook or laptop, PDA, smartphone or any number of other communication devices.

Getting started with tokenless two-factor authentication

To provision T2FA services, users are first required to enroll in the service, which can be done through, at minimum, a self-service application or Web-facing portal. The user starts the enrollment process by entering his or her personal information and any additional data forwarded to him or her by the T2FA service administrator, which is needed for registration. Upon confirmed identification of the user, the organization can then verify whether the user requires strong authentication based on his or her role, or the information he or she wishes to access.

If the user needs strong authentication services, the application will then ask the user to enter the information of his or her preferred communication channel, such as the mobile phone's details, to enable passcodes to be sent to them. Since T2FA systems don't require the users to install any software onto their devices, this means strong authentication through T2FA is compatible with a multitude of end-user devices and saves the business the cost of administration, user education and technical support.

After successful completion of the registration process, a one-time passcode will be automatically sent to each user's preferred device -- through SMS, telephony Interactive Voice Response (IVR), fax or email services in real-time -- whenever the user authenticates with a username/password. The organization can also choose the option of pre-sending the one-time passcode to the user's device to resolve any problems of network latency resulting in SMS delays or loss of network coverage; for example, if the user will be working in an area of a building where mobile signals don't penetrate. Upon receipt, the user then enters this passcode into the system authentication service for identity verification. This allows the company to use strong credentials to verify the user's identity through a device owned and operated by the end user, not the company.

Two-factor authentication vs. tokenless two-factor authentication

So does this mean that 2FA is going the way of the dinosaur? Not at all. There's room for both protection mechanisms in an organization. But the decision about who uses which mechanism should be determined by the role the user plays in the organization and his or her access requirements. For frequent users who need access to different applications and portals that require strong identity verification -- employees such as IT administrators and systems engineers, full-time remote workers, traveling employees, business people, medical professionals and others -- waiting to receive passcodes through their device may be too cumbersome or time consuming. But for occasional users, like contractors, customers, or a worker who unexpectedly may be working from home due to an emergency or bad weather, T2FA is the better choice.

There's also an additional scenario that crosses the boundaries of frequent and occasional users: This is the case of workers using virtual terminal services. "Terminal services" is Microsoft's implementation of thin-client terminal server computing in which applications, or the entire desktop of a computer, are made accessible to a remote client machine. Other options include Citrix Systems Inc.'s GoToMyPC and Symantec Corp.'s pcAnywhere. These services are becoming more popular as companies contract third parties to remotely develop and/or maintain applications, servers and network devices for them, especially in off-shore development centers where providing dedicated secure connections and workstations can be expensive. Due to the power associated with terminal services, and the fact that, once authenticated, the users generally have access to sensitive internal applications and data, securing these with strong authentication services is highly recommended. By using T2FA, remote workers only need a telephone that can receive an SMS message as they log onto the terminal services to ensure they're authorized to access internal company resources.

So what are the issues with T2FA? Well, when phones and PDAs are used, T2FA services are only as good as each mobile device's network coverage. In addition, in order to receive the passcode, the device, like a mobile phone, must be charged and operational. Also, not all services on mobile phones are free. Frequent users can quickly run up SMS charges for requesting passcodes on a mobile phone or PDA. Since the company doesn't manage the end user's device, it must also create applications or services that allow the user's preferred communication channel to be changed, sometimes on the fly, especially when the user doesn't have access to his or her normal device . Organizations must also keep in mind that phones, one-time password devices, etc. are not only used within the organization's four walls, but also go with the users to their homes, shopping malls, the beach, etc. Because of the potential for loss, organizations must also create and communicate processes for loss reporting and transfer of services for these devices.

So while there are challenges to deploying T2FA, the ability to mix both 2FA and T2FA within an organization means that strong authentication requirements can be tailored to meet specific needs, budgets and working patterns. For those organizations that don't have the skills or infrastructure to support one or both of these strong authentication methods, vendors also offer them as hosted services such as Signafy Inc., Positive Networks Inc. and Authentify Inc. Using a cloud-based service means that organizations can reap the benefits of both options and choose the right authentication based on specific users' needs. But ultimately, besides reducing the costs and time associated with managing hardware tokens, demand for T2FA should increase as the demand for innovative business models requires federated workers and facilities to have the ability to work remotely.

About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.

Next Steps

Read more about the pros and cons of implementing smart cards

Risk-based multifactor authentication implementation: Get best practices.

Learn about making the most of authentication tools with a small security budget.

This was last published in April 2010

Dig Deeper on Two-factor and multifactor authentication strategies