You can send SMS messages via a connected WaveCom or Siemens modem or via an Internet SMS gateway provider, see SMS Gateways for more information.
This approach is fundamentally flawed because of the following problems:
The SecurAccess product does not require on-demand SMS messages.
The end user first enters their UserID, then enters their windows
password and appends their 6 digit passcode that is already stored
on their mobile phone as it was sent to them when they last
authenticated. An approach that pre-loads the next required passcode
each time a user authenticates resolves all the issues relating to
SMS delays or short term signal loss and data connectivity.
This technique eliminates any problems with SMS delivery delays as typically an end user does not require their next passcode until the next working day. This length of time is more that adequate to allow for any SMS delays and gives plenty of time for the end user to move to a location that has a signal for example when they commute to or from their place of work. SecurEnvoy also support sending 3 valid passcodes within each SMS passcode. This technique allows for up to 3 valid authentications before requiring the next SMS message to be received.
In "One Time" mode, the entered passcode can only be used once in exactly the same way as token companies such as RSA. A new one time code is send to the user after every authentication attempt, good or bad. Any attempt to replay the entered code will fail as the authenticated passcode is locked and can only be entered once. This mode of operation is ideal for remote users on "malicious" systems, home PC or in view of the public when authenticating. These users are only authenticating to a VPN which uses a session key so would typically only authenticate once or twice a day at the most. On average remote access users authenticate twice per week as some users may only authenticate once per month or less. Note that these users would not be authenticating their local PC's screen lock as it maybe a third party system or home PC. In "Day Code" Mode, a reusable passcode is send each day (or any number of days for example every week), this code can be reused for that day or the following day so the risk of replay attack is limited to two days which is significantly stronger that a 30 day password (weekends can be skipped). If the user does not use a day code it isn't known publicly and therefore cannot have been intercepted so a replacement day code is only send if previously used. This mode of operation is ideal for in-house desktop users that authenticate many times a day as it only requires one SMS passcode per day or less if the user is on holiday and not using their day code. So basically you can tailor the risk, ease of user and cost of SMS to suite each user's requirement depending on their environment.
These users may not have a company supplied phones, but they almost certainly have their own mobile phones as statistics say that there are nearly twice as many live handsets as people in the UK. Even if they don't have a personal mobile phone, SecurAccess can still send a passcode to a landline telephone or even a DDI number behind a PBX.
The question is why dont they want to use their own phones? You will not be putting any software on their phone. You will simply be sending them an SMS message which will not cost the end user anything. In some cases its simply that they don't want to receive phone calls from other employees. Personal mobile number are stored encrypted so that only the SecurEnvoy administrators can read it which prevents other staff trying to call it. What is more inconvenient to the user, using up pocket space for a token or using virtual space on their mobile phone?
GSM network consists of over 860 networks in 220 countries/areas of the world. Coverage Maps can be found at: http://www.gsmworld.com/roaming/gsminfo/index.shtml
If you frequent a place that has intermittent coverage, it is possible to utilise the day code option within the software. This means that a passcode can be reused for between 1 and 99 days. Being that SecurEnvoy works on pre-loaded methodology the user will always have a working code on their phone. Alternatively the security server can be configured to send 3 one time codes with-in each SMS message. Finally it is possible for SecurAccess to send a passcode to a landline telephone or DDI number behind a PBX.
There are two options on how to send the SMS messages. First option is to use a Wavecom outbound only commercial strength GSM modem. This option allows the client to utilise their existing contract they have negotiated with there mobile telecom carrier. The telecom carrier may offer either a package where inter-calls (and SMS) between the companies phone are free, or they have a significant number of minutes and SMS per month included in the contract. Using this method the client can almost run the service for nothing. Alternatively they can pick up a single user contract with most leading providers that typically includes 3000 SMS for around £20 per month. The second option is to sign up with one of the Web SMS gateways. This is basically a HTTPS connection to the Web SMS gateway, and the provider then sends the messages for you. This option is faster and more scalable than the GSM modem option, but can be more expensive.
This answer is very well. SecurEnvoy scales directly with Active Directory as this is it's database, therefore the question should be "how well can your existing AD scale?". Microsoft have spent much time and money perfecting the replication between domain controller servers. SecurEnvoy benefit from this replication as it directly integrates with AD or other LDAP servers such as eDirectory.
Simply enter your username and complete the logon process without the passcode, the system will see this as a bad logon and send a new passcode. This will work as long as you have not gone passed the set number of concurrent failed logons, otherwise the account will be disabled.
When you are enabled upon the system, your first passcode will be automatically sent, pre-loading the codes caters for any delay with the SMS delivery. after authentication a new passcode will be sent, this new code on most mobile phones, will overwrite the old one. Therefore only one code will be seen on the mobile phone.
If a hacker tries a guessed login with your correct UserID then you will receive the next required passcode. Receiving this SMS message will act as an alert to you that someone is trying to brake into your account.
SecurEnvoy have implemented a Radius server therefore we can support any application that supports basic password RADIUS authentication. In addtion SecurEnvoy have integration guides for the majority of common SSL/VPN, IPsec VPN and dial up vendors. Web based applications hosted on Microsoft IIS web server for example OWA and Citrix can be authenticated via the SecurEnvoy IIS Agent.
There are multiple case studies on our web site, these cover various market verticals.
Mr Kemshall is one of the leading European experts in Two-Factor authentication. As the co-founder of SecurEnvoy Mr Kemshall is the inventor of the next generation of Tokenless® authentication systems. He was one of the original technical staff of RSA Europe with an employee number of 0005. He spent 8 years with RSA predominantly customer focused. Over this time he directly engaged with over 500 key accounts for RSA Security. "It was clear to me that the authentication market is crying out for a Tokenless® mobile phone based solution as most customers resented the cost of deploying and replacing hardware tokens. Token technology is now over 25 years old." Comments Mr Kemshall.
Simply enter your username and complete the logon process without the passcode, the system will see this a a bad logon and send a new passcode. This will work as long as you have not gone passed the set number of bad logons, otherwise the account will be locked.
By pre-loading the passcodes before you require them, allows plenty of time to receive your passcode when there is a signal. Alternatively you can use day codes, which allows a single code to be used for a set number of days or the security server can be configured to send 3 one time codes with-in each SMS message.
This is very simple, Start the Admin GUI and select the menu "config" then paste the new live license key into the field marked License. If you plan to use a Web SMS Gateway then run "Advanced Config" skip to Web SMS Gateway and enter a valid UserID and Password that was allocated to you from your choosen Web SMS Gateway company.
Multiple security servers must share the same security encryption key (config.db) Each time you install a new copy of the security server you will be prompted with the question "Is this the first server or any additional server?" If you select additional you will then be prompted to upload the config.db file from the first server.
- 1. Check that the Wavecom Modem has a flashing red LED If the LED isn't flashing, check the power and SIM.
- Stop the SecurEnvoy Phone Gateway1 service Open Microsoft's Hyperterm (Start/Programs/Accessories/Communications) Open the Com port that the modem is connected to.Change com port, baudrate, as required to get a connection. Note Wavecom defaults to 9600 8 No Stop Bits 1. Enter ATI you should get "WAVECOM MODEM"
- Check signal strength, start Hyperterm.Enter AT+CSQ you should get +CSQ: 22,0 where 22 is a number between 0 and 31 that defines the signal strength.
- Remove the SIM from the Wavecom and place in a normal GSM phone. Check the SIM can send SMS messages to International Numbers.
- Check the Setting in the Registry
Restart SecurEnvoy Phone Gateway1 after changes
- Check that no other program is using the serial COM port before starting the SecurEnvoy Phone Gateway1 Service
Check that no other program is using the Radius port (1812).Stop the SecurEnvoy Radius Service and wait 60 seconds. In a CMD window run "netstat -a -p UDP" You should NOT see the line "UDP xxxx:radius *:*" where xxxx is the system name. If you do it may be that Microsoft's Internet Authentication Manager (IAM) is Installed, if so on some window versionsthere is a Microsoft bug that causes IAM to still use the Radius port even when stopped or uninstalled! If is recommended that the default ports in IAM are changed thus releasing the Radius port.
Q: If I use IE7 for local administration, start help and then exit the help window, why am I prompted to re-authenticate?
This is an known bug with Microsoft IE7. The session cookies are getting deleted when you close a 2nd window. At the moment no Microsoft fix exists. However the following workaround generally resolves this problem. Change your IE7 settings in Tools/Internet Options/General/Browser History Settings to "Everytime I visit the web page".
Yes, in version 5.2 and above, we support both windows 2008 and windows 2008R2 on both 32bit and 64bit systems.
using the power of
tokenless two factor
deliver emails securely
See how much you could save by going Tokenless: