– David Hald, co-founder and chief relation officer, SMS PASSCODE, says:
The term “designer” once meant that you were purchasing a product of high quality that had been thoughtfully created by a professional artisan. People coveted these products for that reason, and they had a reputation of luxury and durability. These days, the term is used almost indiscriminately as retailers try to capitalize on the trend, resulting in lower-quality products that tarnish the word “designer” and render it almost meaningless. Yet the term is still attractive: the global designer handbag market garnered over $1 billion last year.
Likewise, the term “multifactor authentication” does not mean the same thing to all people. It is not useful to take a one-size-fits-all approach to looking for a multifactor authentication strategy for your organization, because significant differentiators exist within the market that can make for a better fit depending on your organization’s needs. Security, timeliness of delivery and ease of use are all factors that will determine the experience a user will have and whether their personal data is protected.
Things to Consider
The key element when choosing among mobile-based multifactor authentication approaches is the level of security. As a result, it’s important to be wary of pre-issued passcodes. Many authentication platforms operate similar to token-based technologies with pre-issued one-time-passcodes based on a seed file. If codes are pre-issued, then they are vulnerable to phishing, unauthorized usage or of seed file theft. This is not just a theoretical risk: when it happens, it requires replacing millions of hardware tokens. If the authentication code is pre-defined before the login, then it can be stolen and used for another login since the code isn’t linked to a specific session. This means that the system’s security can be significantly compromised and the code exploited by phishing.
Another security differentiator to consider is challenge- and session-based models.
Being challenge-based creates the basis for organizations to set up systems that make employee remote logins even more secure. With this approach, a code is generated only after the login session has been created. By waiting to generate the code until after the session is created, instead of relying on a pre-set bank of existing codes, the authentication system can see which computer workstation the login request is coming from. A code is then created and linked to the computer so the code can only be used from the same machine from which the request was originally initiated. If for any reason the code is intercepted, it cannot be used on any other device. This helps protect against even more sophisticated attacks.
Having a mobile authentication app may seem hip and cool, but as an authentication mechanism, the coolness of the mobile app will quickly fade once an organization starts deploying it in the real world. Making sure an app is successfully deployed to everyone in an organization won’t be hassle-free, and ensuring that everyone is using the most up-to-date version won’t be, either. If an organization opts for an approach that requires user-deployed software, then it drastically increases user dependency, since the success of the implementation relies on all users having the software deployed and up-to-date. In addition, the technology relies on all users having a smartphone, which isn’t always the case. The mobile app (unless it uses a basic soft token) also requires a data connection to work, which can be impractical and expensive to use for employees while traveling.
Another consideration is the reliability of the SMS arriving on time, when deploying a multifactor authentication security platform that leverages SMS as a delivery mechanism for the One-Time-Passcode (OTP). Users are waiting to log into critical business applications remotely and cannot proceed until the code arrives. There is a huge difference between the SMS arriving within 10 seconds or two minutes. Some authentication providers claim that SMS delivery is not reliable enough and, as a result, they encourage the usage of pre-issued codes. However, this lowers the level of security significantly because the OTP cannot be generated in real-time, making it a gamble. The ideal balance is an approach that is realtime challenge- and session-based while also able to ensure that realtime-generated passcodes are received reliably and in a timely manner.
It’s also important to consider the level of adaptive support. A best practice is to take advantage of contextual information, such as login behavior patterns, geo-location and type of login system being accessed. This provides powerful benefits for the organization in terms of added user convenience. The model allows for the level of security to be configured to adjust based on where the user is, what time they are logging in and what network they are logging in from. For example, if the user is logging in from a trusted location—such as the comfort of the user’s home—where he or she has logged in from before, then he or she will not be prompted for an OTP to authenticate. On the other hand, if the user is attempting to log in while traveling (i.e. from an airport lounge or hotel with public Wi-Fi), then an OTP is mandatory to gain access.
Look Behind the Label
Just as not all “designer” products are created equal, neither are all multifactor authentication offerings. There are many variables within the market that can determine the success or failure of a security platform. Pre-set passcodes and mobile authentication apps can’t offer the security and ease of use that customers need. OTPs need to arrive in a timely manner, and context-based adaptive support adds convenience as well. If organizations hope to outwit security threats and protect user data, they need to look behind the multifactor authentication label to understand what a provider is really offering.
About the Author
David Hald is a founding member of SMS PASSCODE A/S, where he acts as a liaison and a promoter of the award-winning SMS PASSCODE multifactor authentication solutions. Prior to founding SMS PASSCODE A/S, he was a co-founder and CEO of Conecto A/S, a leading consulting company within the area of mobile- and security solutions with special emphasis on Citrix, Blackberry and other advanced mobile solutions. In Conecto A/S David has worked with strategic and tactic implementation in many large IT-projects. David has also been CTO in companies funded by Teknologisk Innovation and Vækstfonden. Prior to founding Conecto, he has worked as a software developer and project manager, and has headed up his own software consulting company. David has a technical background from the Computer Science Institute of Copenhagen University (DIKU).