Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

The next step in multi-factor authentication

12 June, 2014
Adaptive multi-factor authentication takes corporate organisations another step away from password insecurity in identity management

Passwords are a pain. Being clumsy, demanding, insecure and difficult to manage, they support none of the basic criteria required by any process operated in a business. Users can't remember them and resent being told to create new ones at frequent intervals placing an additional non-productive burden on their time. IT administrators find them difficult to manage and constantly have to reset them when users forget them.

Let's face it, there's no saving grace for the decades old technology of passwords especially since other authentication methods are available that are more secure, more reliably and easier to deploy and use.

To find out about the latest trends in multi-factor authentication, I spoke to Torben Andersen of SMS PASSCODE, a company set up in 2005 and specialising in identity management technology based on adaptive multi-factor authentication.

A migration from 2FA

Two-factor authentication (2FA) has been available in various guises for about 20 years and started as hardware tokens. Whilst providing the additional security of an extra identity factor (something you carry with you), it had the disadvantage of the cost of tokens as well as requiring the user to carry the token around.

It was a logical step for 2FA to move on to the use of mobile communications during the last decade which required no additional hardware and enabled real-time authentication. These kinds of systems required client software (an app) and required a signal for the telephone to receive the SMS, a significant challenge in some regions with poor coverage.

Adaptive authentication

This situation drove SMS PASSCODE to take the technology a stage further and offer a solution that required no client software and which was adaptive to different circumstances, for example if there is no telephone signal for receiving an SMS. This adaptability became a key distinguishing factor, enabling companies to deploy an identity management policy based on elements of risk and the corresponding use of different authentication factors.

An example is geo-location. Employees working from home on company laptops using the familiar IP address of their routers represent a lower risk than an employee on the road in an unexpected location. In the former case, the second authentication factor could be the IP address alone whereas in the latter, more credentials would be required in order to authenticate the user.

SMS PASSCODE has gone to great lengths to ensure that the authentication method is secure and yet easy to manage for both users and administrators. Codes are not pre-generated and are based on single session IDs so they can't be intercepted or recycled and passwords can be reset by the user with a personal PIn and a mobile phone.

The case for adaptive multi-factor authentication

Existing users of the SMS PASSCODE system amount to around 2000 companies throughout the world, most of which are small and medium sized enterprises. Not requiring any complex installation or client software, the system is ideally suited to these kinds of organisations which operate on tight budgets and require good cost justifications with tangible ROI. This can be achieved with the ease of credential management and the extremely low levels of user support requirements.

Sitting on top of Microsoft Active Directory, the only requirement is that AD federation services are supported. The system can also support other delivery mechanisms than SMS including voice calls as well as hardware tokens, software tokens or cloud keys as well as MS and Google authentication. The only disadvantage to these alternative delivery mechanisms is that they aren't session specific or real time.

Extended application

I asked Torben whether we're likely to see an end to hardware modules or the need to remember dozens of passwords. Currently, SMS PASSCODE is focused on providing the most secure credentialling system to commercial organizations rather than diluting the offering by extending into more consumer markets. However, the interest shown in the technology at the recent InfoSecurity Europe event in the UK by the financial sector would indicate that there's more than just a passing interest in moving towards more adaptive authentication methods.

By Jonathan Newell


Bookmark and Share