Print
Close Window
From: www.itworld.com
Authenticating Millions, Part 2
February 13, 2006 —
Continuing from last week, some banks and other financial institutions are providing hardware tokens for single-use passwords for two factor authentication. Since hardware is expensive, and people lose hardware, some companies look for better ways to authenticate users.
Diversinet Corporation took inventory: what hardware do people carry almost constantly? Cell phones. How about using cell phones to generate single-use passwords?
Success meant developing two technologies: getting a soft token for phones, and a backend service bureau (remember ASPs?) up to manage token distribution and their life cycle. Diversinet developed a service that handles the phone part, but lets companies keep the authentication supplier they already have. The company sticks with a known authentication provider, and Diversinet handles the new technology, the cell phone interface.
And "new" is the operative word. The phones must have enough smarts to run an application and configure themselves for the service. PDAs get into the mix as well, depending on their model. Some older phones can receive their one-time six digit passwords over SMS.
How does this work? Simplistically, the user who wants access brings up their one-time password application on their phone. They then type in this six digit password into their computer and get access. Or they provide the password over the phone to the company that requires authentication, much like the Deutsche Bank case study for CryptoCard referenced last week. The banker verifies the one-time password matches, and knows the person calling is indeed the person to whom they issued that token.
Soft tokens for computers and even PDAs aren't new, but ones for cell phones are. Diversinet has the lead now, but others will catch up sooner or later (probably sooner).
Costs for a million or two customers, according to Diversinet, should only be two or three dollars per user per year. This doesn't include the backend authentication at the company, just the logistics of putting soft tokens on cell phones.
Yes, the password generating application can be password protected, but I'm dubious. People don't password protect their laptops, and they certainly won't protect their cell phones. But a verbal password, and the one-time password from Diversinet, provides plenty of protection. The two authentication factors are something you know (PIN or mother's maiden name, etc.) and something you have: token-providing cell phone. Should work.
Authenticating Millions, Part 1
ITworld.com