Tokenless® Two Factor Authentication

Authenticating with two factors (2FA), without the need of a hardware token

Passwords aren’t strong enough to protect your data from the other 3 billion users online. 2FA provides the strength of security needed to protect you. By leveraging something the user already has, allows a seamless and cost effective solution for Tokenless® Two Factor authentication to be implemented.

Mobile phone based tokenless® two-factor authentication for remote access

  • On premise software or hosted via managed provider
  • Use your phone or device as the authenticator
  • Easiest 2FA logon experience in the industry
  • Automatically deploy users via LDAP group membership
  • Deployment can scale to 100,000 users per hour
  • Fixed yearly cost, pay per user, with no hidden extras
  • Putting the user in control, migrate your own phones/devices.
  • Halve your cost of tradition hardware token alternatives
  • Reutilize existing AD (LDAP) database.
  • Widest variety of tokenless types
100% successful SMS passcode delivery

  • Putting the user in control, migrate your own phones/devices.
  • Halve your cost of tradition hardware token alternatives
  • Reutilize existing AD (LDAP) database.
  • Widest variety of tokenless types

Other delivery options

    • Real Time SMS Passcodes sent on-demand and session locked
    • Passcodes can be sent via secure email
    • Customized Soft Token Apps
    • Voice Call with passcodes entered in the phones keypad to session lock the voice network with the Internet

SMS Preload

SMS Real Time

SMS Three Codes

SMS Periodic

Soft Token for Smart Phones

Soft Token for Laptops (Microsoft / Mac)

Voice Call

Email Preload

Email Real Time

Email Three Codes

Email Periodic

Comparing the security of hardware tokens with SecureEnvoy

SMS SecurityWith a broad enterprise-class offering, INETWORKS provides premium hosting services and support recognized by industry experts as among the best in the industry. Our services are leveraged by organizations from Fortune 1000 companies to the leaders in Web 2.0 and federal agencies.

Intercepting SMS with a trojan

Could a text message be intercepted with a malicious trojan inadvertently installed on a phone? Phones such as iPhone and Blackberry rely on “App Stores” that only publish trusted software that has been checked to be virus free and ensures that the originators identity must be confirmed, making it impossible for a hacker to install trojan software or to remain anonymous. In 2011 Google Android removed a number of malicious apps from its app store and it set to follow Apple’s lead. For all other phones, almost all of them will prompt you with a warning message if personal information such as SMS store or GPS locations is requested by an application or trojan. In addition, the wide diversity of phone models, operating system types and message storage techniques require that trojan software would have to be adapted hundreds of times to cover all eventualities. Then when a phone vendor subsequently issues a security update the cybercriminal would be back to square one.

Not convinced SMS is for you

If you still don’t trust SMS please bear in mind you can still opt to use SecurEnvoy Time Soft Tokens on iPhones, Blackberry’s, Android and by the end of 2011, laptops. These soft tokens have no external APIs and no reliance on SMS as they are isolated software versions of time sync tokens, with the added security benefit that seed records are created at enrolment within your own server and can automatically resynchronize to any time zone in the world.

Hardware token securityIn March 2011 RSA Security was hacked, compromising up to 40 million tokens which RSA have agreed to replace. This breach uncovered a fundamental security issue with pre-programmed manufacturer’s security processes. SecurEnvoy do not hold token records as all required keys are created within the customers own security server when a user is enabled.

Code visibility

A hardware token may change its number every 60 seconds or when a button is pressed but if you have access to the token you have a valid number that can be used for a successful authentication. This is the same as an SMS message on a mobile phone with the difference that the SMS system only needs to change its number after every authentication rather than every 60 seconds. However, a mobile phone provides additional protection in that you will need to power it on, enter a PIN unlock code (in most cases) and search through various locations to find the relevant SMS message.

Managing lost or compromised tokens / phones

Both tokens and SecurEnvoy solutions can be disabled from the server end once the device has been reported missing. The question is which device would be reported missing first, a piece of plastic that is only used for remote access and the user has been forced to carry or their mobile phone that is very personal to them and frequently used. Consider a member of your staff going on holiday and having their token stolen at the airport. They are unlikely to miss this token until they next need to use it which could be many weeks or months. However if their phone is stolen they will realize this within hours and more importantly will make the effort to report it missing to prevent escalating costs.

First factor options (PIN)Most hardware token vendors typically require the use of a 4-8 digit PIN that never changes. SecurEnvoy supports either a 4 to 8 digit PIN or reusing an existing domain password. Most customers prefer to use their domain password as their PIN. In most cases this is their Windows Password, which is usually 6-8 characters, alpha-numeric and changes every 30 days. Not only is this Password easier for the user to remember, it is more secure than a static 4-digit PIN that may not have changed in years.

Conclusion

From a security perspective, the hardware device in a Two-Factor authentication solution should be kept with the user at all times to keep it safe. A plastic token, which the user is forced to own and may only be used for occasional remote access connections will not be kept as secure as a mobile phone. Users are more likely to protect their phone and importantly will report it missing if stolen. If for any reason someone manages to retrieve a passcode from a user’s phone they will still need to know the other factor, a PIN or Windows Password to logon. The hacker will only get one attempt at getting the PIN/Password correct at which point the system will generate a new passcode message alerting the real user to an illegal logon attempt, whereas with a token the user would never know if someone had tried to use one of the codes. Finally, many users leave their tokens in their laptop bag which is very much like gluing your car keys to your car, as opposed to a mobile phone which is almost certainly kept close to the user and separate from their laptop.

Comments are closed.

  • CHICAGO TECH CENTER

    346 N. Justine St
    Suite 4LFT
    Chicago, IL 60607

    Main Number: (312) 279-2167
    Toll Free: (800) 598-2853
    Fax: (800) 784-9950

    Send us a message
  • HEADQUARTERS

    125 S. Wacker Drive
    Suite 2510
    Chicago, IL 60606

    Main Number: (312) 212-0822
    Toll Free: (866) 409-2826
    Fax: (312) 422-9201

    Visit iNETWORKS Site
  • Share with us on:

    facebooktwittergoogle_pluspinterestlinkedinmail