Frequently Asked Questions

Q: Which SMS gateways do you support?
You can send SMS messages via a connected WaveCom or Siemens modem or via an Internet SMS gateway provider, see SMS Gateways for more information.

Q: Should the one time passcode be sent in real time as I am authenticating?

This approach is fundamentally flawed because of the following problems:

1. SMS delivery is delayed

Although most SMS text messages are transmitted in seconds, it’s common to find them delayed when networks become congested. SMS traffic is not sent point to point, it is ‘queued’, and then sent on to the required network cell where it is again queued and finally sent to the end users phone. This queuing gives rise to delays at peak operator periods, Vodafone’s own sales literature claims that 96% of all SMS messages are delivered within 20 seconds. This means that 4% of users trying to authenticate will fail and will need to raise a help desk call to gain emergency access. Thus for a deployment of 5000 users authenticating each day, 200 help desk calls would be raised per day!

2. Signal dead spots

Mobile phone signals are not always available particularly in buildings with wide outer walls, in underground basements or in computer rooms that give off high RF noise. Consider a user trying to authenticate in one of these locations. They would first enter their UserID and PIN and would then fail to receive their authentication code. They would next need to move to a location that has a signal, receive their authentication code, move back to the original location to enter their passcode ALL with-in a timeout period of 2 minutes.

Users located within these locations would have no alternative that to raise help desk calls to gain emergency access.

3. Mobile phone is used to connect to the internet

In most cases when a mobile phone creates a data connection it can’t receive SMS messages. Users trying to utilize their mobile phone as a way of connecting to the Internet would not receive their passcode until they hang-up the data connection. End-users would need to start authenticating the UserID and PIN, hanging up the connection, wait for the SMS message, reconnect and re-enter their UserID, Pin and Passcode all within 2 minutes.

The SecurAccess product does not require on-demand SMS messages. The end user first enters their UserID, then enters their windows password and appends their 6 digit passcode that is already stored on their mobile phone as it was sent to them when they last authenticated. An approach that pre-loads the next required passcode each time a user authenticates resolves all the issues relating to SMS delays or short term signal loss and data connectivity.

This technique eliminates any problems with SMS delivery delays as typically an end user does not require their next passcode until the next working day. This length of time is more that adequate to allow for any SMS delays and gives plenty of time for the end user to move to a location that has a signal for example when they commute to or from their place of work. SecurEnvoy also support sending 3 valid passcodes within each SMS passcode. This technique allows for up to 3 valid authentications before requiring the next SMS message to be received.   

Q: What is the difference between a One Time Code and a Day Code?
In "One Time" mode, the entered passcode can only be used once in exactly the same way as token companies such as RSA. A new one time code is send to the user after every authentication attempt, good or bad. Any attempt to replay the entered code will fail as the authenticated passcode is locked and can only be entered once. This mode of operation is ideal for remote users on "malicious" systems, home PC or in view of the public when authenticating. These users are only authenticating to a VPN which uses a session key so would typically only authenticate once or twice a day at the most. On average remote access users authenticate twice per week as some users may only authenticate once per month or less. Note that these users would not be authenticating their local PC‘s screen lock as it maybe a third party system or home PC. In "Day Code" Mode, a reusable passcode is send each day (or any number of days for example every week), this code can be reused for that day or the following day so the risk of replay attack is limited to two days which is significantly stronger that a 30 day password (weekends can be skipped). If the user does not use a day code it isn’t known publicly and therefore cannot have been intercepted so a replacement day code is only send if previously used. This mode of operation is ideal for in-house desktop users that authenticate many times a day as it only requires one SMS passcode per day or less if the user is on holiday and not using their day code. So basically you can tailor the risk, ease of user and cost of SMS to suite each user’s requirement depending on their environment.

Q: Some of my users do not have mobile phones how can I use this solution?
These users may not have a company supplied phones, but they almost certainly have their own mobile phones as statistics say that there are nearly twice as many live handsets as people in the UK. Even if they don't have a personal mobile phone, SecurAccess can still send a passcode to a landline telephone or even a DDI number behind a PBX.

Q: What if end users do not want to use their personal mobile phone?
The question is why don’t they want to use their own phones? You will not be putting any software on their phone. You will simply be sending them an SMS message which will not cost the end user anything. In some cases its simply that they don't want to receive phone calls from other employees. Personal mobile number are stored encrypted so that only the SecurEnvoy administrators can read it which prevents other staff trying to call it. What is more inconvenient to the user, using up pocket space for a token or using virtual space on their mobile phone?

Q: How good is the GSM phone coverage?
GSM network consists of over 860 networks in 220 countries/areas of the world. Coverage Maps can be found at: http://www.gsmworld.com/roaming/gsminfo/index.shtml

Q: Where I live has bad or no GSM coverage how do you manage this?
If you frequent a place that has intermittent coverage, it is possible to utilise the day code option within the software. This means that a passcode can be reused for between 1 and 99 days. Being that SecurEnvoy works on pre-loaded methodology the user will always have a working code on their phone. Alternatively the security server can be configured to send 3 one time codes with-in each SMS message. Finally it is possible for SecurAccess to send a passcode to a landline telephone or DDI number behind a PBX.

Q: How does the server send the SMS messages?
There are two options on how to send the SMS messages. First option is to use a Wavecom outbound only commercial strength GSM modem. This option allows the client to utilise their existing contract they have negotiated with there mobile telecom carrier. The telecom carrier may offer either a package where inter-calls (and SMS) between the companies phone are free, or they have a significant number of minutes and SMS per month included in the contract. Using this method the client can almost run the service for nothing. Alternatively they can pick up a single user contract with most leading providers that typically includes 3000 SMS for around £20 per month. The second option is to sign up with one of the Web SMS gateways. This is basically a HTTPS connection to the Web SMS gateway, and the provider then sends the messages for you. This option is faster and more scalable than the GSM modem option, but can be more expensive.

Q: How well can the SecurEnvoy server scale?
This answer is very well. SecurEnvoy scales directly with Active Directory as this is it's database, therefore the question should be "how well can your existing AD scale?". Microsoft have spent much time and money perfecting the replication between domain controller servers. SecurEnvoy benefit from this replication as it directly integrates with AD or other LDAP servers such as eDirectory.

Q: What happens if the user deletes the SMS?
Simply enter your username and complete the logon process without the passcode, the system will see this as a bad logon and send a new passcode. This will work as long as you have not gone passed the set number of concurrent failed logons, otherwise the account will be disabled.

Q: How do I know what passcode to use?
When you are enabled upon the system, your first passcode will be automatically sent, pre-loading the codes caters for any delay with the SMS delivery. after authentication a new passcode will be sent, this new code on most mobile phones, will overwrite the old one. Therefore only one code will be seen on the mobile phone.

Q: How do I know if a hacker is trying to guess my login details?
If a hacker tries a guessed login with your correct UserID then you will receive the next required passcode. Receiving this SMS message will act as an alert to you that someone is trying to brake into your account.

Q: What Integration does SecurEnvoy have with RAS and NAS type network devices?
SecurEnvoy have implemented a Radius server therefore we can support any application that supports basic password RADIUS authentication. In addtion SecurEnvoy have integration guides for the majority of common SSL/VPN, IPsec VPN and dial up vendors. Web based applications hosted on Microsoft IIS web server for example OWA and Citrix can be authenticated via the SecurEnvoy IIS Agent.

Q: Do you have any reference sites or case studies?
There are multiple case studies on our web site, these cover various market verticals.

Q: What is the background of the SecurEnvoy Founder?
Mr Kemshall is one of the leading European experts in two factor authentication. As the co-founder of SecurEnvoy Mr Kemshall is the inventor of the next generation of tokenless authentication systems. He was one of the original technical staff of RSA Europe with an employee number of 0005. He spent 8 years with RSA predominantly customer focused. Over this time he directly engaged with over 500 key accounts for RSA Security. "It was clear to me that the authentication market is crying out for a tokenless mobile phone based solution as most customers resented the cost of deploying and replacing hardware tokens. Token technology is now over 20 years old." Comments Mr Kemshall.

Q: I've deleted my passcode from my phone, what do I do?
Simply enter your username and complete the logon process without the passcode, the system will see this a a bad logon and send a new passcode. This will work as long as you have not gone passed the set number of bad logons, otherwise the account will be locked.

QQ: I have no signal in some areas of the office, how do I receive a passcode?
By pre-loading the passcodes before you require them, allows plenty of time to receive your passcode when there is a signal. Alternatively you can use day codes, which allows a single code to be used for a set number of days or the security server can be configured to send 3 one time codes with-in each SMS message.

Q: How do a upgrade from a trial license to live license?
This is very simple, Start the Admin GUI and select the menu "config" then paste the new live license key into the field marked License. If you plan to use a Web SMS Gateway then run "Advanced Config" skip to Web SMS Gateway and enter a valid UserID and Password that was allocated to you from your choosen Web SMS Gateway company.

Q: How do I setup multiple SecurEnvoy Security Servers for redundancy?
Multiple security servers must share the same security encryption key (config.db) Each time you install a new copy of the security server you will be prompted with the question "Is this the first server or any additional server?" If you select additional you will then be prompted to upload the config.db file from the first server.

Q: Phone Gateway1 Fails to Initialise?
1. Check that the Wavecom Modem has a flashing red LED If the LED isn’t flashing, check the power and SIM.
2. Stop the SecurEnvoy Phone Gateway1 service Open Microsoft’s Hyperterm (Start/Programs/Accessories/Communications) Open the Com port that the modem is connected to.Change com port, baudrate, as required to get a connection. Note Wavecom defaults to 9600 8 No Stop Bits 1. Enter ATI you should get "WAVECOM MODEM"
3. Check signal strength, start Hyperterm.Enter AT+CSQ you should get +CSQ: 22,0 where 22 is a number between 0 and 31 that defines the signal strength.
4. Remove the SIM from the Wavecom and place in a normal GSM phone. Check the SIM can send SMS messages to International Numbers.
5. Check the Setting in the Registry HKLM\SOFTWARE\SecurEnvoy\Phone Gateway1
Restart SecurEnvoy Phone Gateway1 after changes
6. Check that no other program is using the serial COM port
before starting the SecurEnvoy Phone Gateway1 Service

Q: My SecurEnvoy Radius Server Fails with "Error Opening Local Port", How do I fix this?
Check that no other program is using the Radius port (1812).Stop the SecurEnvoy Radius Service and wait 60 seconds. In a CMD window run "netstat –a –p UDP" You should NOT see the line "UDP xxxx:radius *:*" where xxxx is the system name. If you do it may be that Microsoft's Internet Authentication Manager (IAM) is Installed, if so on some window versionsthere is a Microsoft bug that causes IAM to still use the Radius port even when stopped or uninstalled! If is recommended that the default ports in IAM are changed thus releasing the Radius port.

Q: If I use IE7 for local administration, start help and then exit the help window, why am I prompted to re-authenticate?
This is an known bug with Microsoft IE7. The session cookies are getting deleted when you close a 2nd window. At the moment no Microsoft fix exists. However the following workaround generally resolves this problem. Change your IE7 settings in Tools/Internet Options/General/Browser History Settings to "Everytime I visit the web page".

Q: Why does local administration re-authenticate every page?
Both IE6 and IE7 browsers fail to return the authentication cookie if their is an _ in the host name. Rename the host or use Firefox as the default browser.

Q: Do you support 64bit OS servers
Yes, both the server and IIS agent support 64bit OS systems.

Q. Do you support windows server 2008R2
Yes, in version 5.2 and above, we support both windows 2008 and windows 2008R2 on both 32bit and 64bit systems.