Tokenless Two-Factor Authentication: It Finally Adds Up

Tokenless Two-Factor
Authentication:
It Finally Adds Up
Steve DispensaChief Technology Officer PhoneFactor, Inc.
PhoneFactor, Inc.7301 West 129th StreetOverland Park, KS 662131-877-668-6536www.phonefactor.comWhite Paper
Tokenless Two-Factor Authentication: It Finally Adds UpFor most companies, information security is a top priority. Demand for protecting data and employee confidentiality is only continuing to grow, especially in industries that require a regulatory-compliant environment. However, applying user names and passwords for authentication is insuf-ficient. While two-factor authentication is an effective security solution, traditional token-based systems have been difficult to implement and administer, leading to limited adoption.
PhoneFactor uses any mobile phone (or traditional phone) as the second authentication factor. Users do not need to carry an additional device, and there are no expensive tokens to manage. During login, PhoneFac-tor makes a call to the user's phone, confirming the authentication. This second factor - the possession of the phone itself - adds a significant ad-ditional layer of security. PhoneFactor can be set up in hours without the purchase of any hardware. This paper discusses the technical architecture of PhoneFactor, along with related security and deployment considerations. It also includes an overview of other currently available two-factor authen-tication solutions.
Contents Introduction 3
PhoneFactor Overview 4
PhoneFactor Implementation Details 5
PhoneFactor Web SDK 7
PhoneFactor Implementation Security Considerations 7
PhoneFactor as a Two-Factor Authentication System 8
Comparisons With Other Systems 9
Conclusion 11
2 ©2008 PhoneFactor, Inc. www.phonefactor.com . info@phonefactor.com . Toll-free: 1.877.No.Token(877.668.6538)White Paper
IntroductionAuthentication, which is the process by which a computer system positively identifies a user, is commonly considered to be one of the weakest links in modern computer security systems. Every day a new story emerges about an identity theft or a computer break-in due to stolen credentials. With the proliferation of network-based and online applications, the trend is only go-ing to continue. Unfortunately, the dominant authentication system in pro-duction today is based on user names and passwords. This relatively weak system is subject to a number of flaws, including notoriously poor user password choices, password harvesting via keylogging software, phishing and man-in-the-middle attacks, and others.
The most common solution to these authentication problems is to use a two-factor authentication system. Two-factor authentication works by requiring both something the user has and something the user knows, as opposed to just something known (typically a password). The "something you have" is usually a piece of hardware that is impossible (or at least very difficult) to duplicate, and the "something you know" is typically a pass-word or PIN. Two-factor authentication systems are secure because it is very difficult to obtain both factors. Even if an attacker manages to learn the user's password, it is useless without also having physical possession of the device. Conversely, if the user happens to lose the physical device, the finder of that device won't be able to use it unless he or she can also guess the user's password.
Security professionals have deployed various two-factor solutions, but no solution has widely displaced traditional user name and password authen-tication. The industry has seen enterprise deployments of token-based systems from vendors such as RSA® and VeriSign®, smartcard-based solutions, and various forms of biometric authentication. Each solution has significant drawbacks, historically leading to limited adoption by users. For online consumer logins, such as banking and financial websites, these limiting factors have dramatically limited two-factor deployments. These websites have instead opted to deploy security questions and image identi-fication as an additional layer of security.
PhoneFactor provides a strong, two-factor authentication service without the drawbacks. It uses the public telephone network for the second authentica-tion factor, which allows PhoneFactor to be deployed rapidly and inexpensively while maintaining the advantages of a two-fac... [download for more]