Authenticating with two factors, without the need of a hardware token
The first attempt to use a mobile phone as a token was tried in 1994 by RSA Security where the required one time passcode was sent via SMS after the users PIN (the first factor) was confirmed. This approach had some success however issues with SMS delivery delays or signal loss prevented its adoption as a business grade authentication solution, limiting its use to occasional authentication or as backup to a hardware token.
In 2003 SecurEnvoy created a new approach were pre-loading the next required one time passcode occurs every time the user authenticates ensuring that a passcode is always available on the phone when needed. In addition day or multiple day codes could be sent at fixed times. These patented innovation moved tokenless up to a business grade service by delivering the required 99% expected reliability, opening the way forward for tokenless authentication to replace hardware tokens.
An alternative way of using mobile phones is via software deployed on the phone that creates the one time code in the same way that a hardware token functions. This method is commonly referred to as a soft token. The downside of this method is the reduced number of mobile phones that can support this software and the increased administration required to install both the software and the unique key (seed record).
Comparing the Security of Hardware Tokens with SecurEnvoy
GSM uses an encryption algorithm called A5. In Dec 2010 A5/1 used by 2G connections was shown to be compromised by Karsten Nohl. A security patch came out almost immediately to fix this vulnerability. 3G and 4G connections have never been compromised to date.
Intercepting SMS with a Trojan
Could a text message be intercepted with a malicious trojan inadvertently installed on a phone? Phones such as iPhone and Blackberry rely on "App Stores" that only publish trusted software that has been checked to be virus free and ensures that the originators identity must be confirmed, making it impossible for a hacker to install trojan software or to remain anonymous. In 2011 Google Android removed a number of malicious apps from its app store and it set to follow Apple's lead. For all other phones, almost all of them will prompt you with a warning message if personal information such as SMS store or GPS locations is requested by an application or trojan. In addition, the wide diversity of phone models, operating system types and message storage techniques require that trojan software would have to be adapted hundreds of times to cover all eventualities. Then when a phone vendor subsequently issues a security update the cybercriminal would be back to square one.
Not convinced SMS is for you
If you still don't trust SMS please bear in mind you can still opt to use SecurEnvoy Time Soft Tokens on iPhones, Blackberry's, Android and by the end of 2011, laptops. These soft tokens have no external APIs and no reliance on SMS as they are isolated software versions of time sync tokens, with the added security benefit that seed records are created at enrolment within your own server and can automatically resynchronise to any time zone in the world.
Hardware Token Security
In March 2011 RSA Security was hacked, compromising up to 40 million tokens which RSA have agreed to replace. This breach uncovered a fundamental security issue with pre-programmed tokens being reliant on the manufacturer's security processes. SecurEnvoy do not hold token records as all required keys are created within the customers own security server when a user is enabled.
A hardware token may change its number every 60 seconds or when a button is pressed but if you have access to the token you have a valid number that can be used for a successful authentication. This is the same as an SMS message on a mobile phone with the difference that the SMS system only needs to change its number after every authentication rather than every 60 seconds. However, a mobile phone provides additional protection in that you will need to power it on, enter a PIN unlock code (in most cases) and search through various locations to find the relevant SMS message.
Managing Lost or Compromised Tokens / Phones
Both tokens and SecurEnvoy solutions can be disabled from the server end once the device has been reported missing. The question is which device would be reported missing first, a piece of plastic that is only used for remote access and the user has been forced to carry or their mobile phone that is very personal to them and frequently used. Consider a member of your staff going on holiday and having their token stolen at the airport. They are unlikely to miss this token until they next need to use it which could be many weeks or months. However if their phone is stolen they will realise this within hours and more importantly will make the effort to report it missing to prevent escalating costs.
First Factor Options (PIN)
Most hardware token vendors typically require the use of a 4-8 digit PIN that never changes. SecurEnvoy supports either a 4 to 8 digit PIN or reusing an existing domain password. Most customers prefer to use their domain password as their PIN. In most cases this is their Windows Password, which is usually 6-8 characters, alpha-numeric and changes every 30 days. Not only is this Password easier for the user to remember, it is more secure than a static 4-digit PIN that may not have changed in years.
Mobile phones may appear less physically secure than hardware tokens however hacking personal information on a phone is a highly risky strategy for the hacker as they will face a prison sentence when found. From a security perspective, the hardware device in a Two-Factor authentication solution should be kept with the user at all times to keep it safe. A plastic token, which the user is forced to own and may only be used for occasional remote access connections will not be kept as secure as a mobile phone. Users are more likely to protect their phone and importantly will report it missing if stolen.
If for any reason someone manages to retrieve a passcode from a user's phone they will still need to know the other factor, a PIN or Windows Password to logon. The hacker will only get one attempt at getting the PIN/Password correct at which point the system will generate a new passcode message alerting the real user to an illegal logon attempt, whereas with a token the user would never know if someone had tried to use one of the codes.
Finally, many users leave their tokens in their laptop bag which is very much like gluing your car keys to your car, as opposed to a mobile phone which is almost certainly kept close to the user and separate from their laptop.