Authenticating Millions, Part 2
Continuing from last week, some banks and other financial institutions are providing hardware tokens for single-use passwords for two factor authentication. Since hardware is expensive, and people lose hardware, some companies look for better ways to authenticate users.
Diversinet Corporation took inventory: what hardware do people carry almost constantly? Cell phones. How about using cell phones to generate single-use passwords?
Success meant developing two technologies: getting a soft token for phones, and a backend service bureau (remember ASPs?) up to manage token distribution and their life cycle. Diversinet developed a service that handles the phone part, but lets companies keep the authentication supplier they already have. The company sticks with a known authentication provider, and Diversinet handles the new technology, the cell phone interface.
And "new" is the operative word. The phones must have enough smarts to run an application and configure themselves for the service. PDAs get into the mix as well, depending on their model. Some older phones can receive their one-time six digit passwords over SMS.
How does this work? Simplistically, the user who wants access brings up their one-time password application on their phone. They then type in this six digit password into their computer and get access. Or they provide the password over the phone to the company that requires authentication, much like the Deutsche Bank case study for CryptoCard referenced last week. The banker verifies the one-time password matches, and knows the person calling is indeed the person to whom they issued that token.
Soft tokens for computers and even PDAs aren't new, but ones for cell phones are. Diversinet has the lead now, but others will catch up sooner or later (probably sooner).
Costs for a million or two customers, according to Diversinet, should only be two or three dollars per user per year. This doesn't include the backend authentication at the company, just the logistics of putting soft tokens on cell phones.
Yes, the password generating application can be password protected, but I'm dubious. People don't password protect their laptops, and they certainly won't protect their cell phones. But a verbal password, and the one-time password from Diversinet, provides plenty of protection. The two authentication factors are something you know (PIN or mother's maiden name, etc.) and something you have: token-providing cell phone. Should work.
Authenticating Millions, Part 1
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
