Passwords aren't strong enough to protect your data from the other 3 billion users online. 2FA provides the strength of security needed to protect you. By leveraging something the user already has, allows a seamless and cost effective solution for Tokenless® Two Factor authentication to be implemented.
With a broad enterprise-class offering, INETWORKS provides premium hosting services and support recognized by industry experts as among the best in the industry. Our services are leveraged by organizations from Fortune 1000 companies to the leaders in Web 2.0 and federal agencies
Could a text message be intercepted with a malicious trojan inadvertently installed on a phone? Phones such as iPhone and Blackberry rely on "App Stores" that only publish trusted software that has been checked to be virus free and ensures that the originators identity must be confirmed, making it impossible for a hacker to install trojan software or to remain anonymous. In 2011 Google Android removed a number of malicious apps from its app store and it set to follow Apple's lead. For all other phones, almost all of them will prompt you with a warning message if personal information such as SMS store or GPS locations is requested by an application or trojan. In addition, the wide diversity of phone models, operating system types and message storage techniques require that trojan software would have to be adapted hundreds of times to cover all eventualities. Then when a phone vendor subsequently issues a security update the cybercriminal would be back to square one.
If you still don't trust SMS please bear in mind you can still opt to use SecurEnvoy Time Soft Tokens on iPhones, Blackberry's, Android and by the end of 2011, laptops. These soft tokens have no external APIs and no reliance on SMS as they are isolated software versions of time sync tokens, with the added security benefit that seed records are created at enrolment within your own server and can automatically resynchronize to any time zone in the world.
In March 2011 RSA Security was hacked, compromising up to 40 million tokens which RSA have agreed to replace. This breach uncovered a fundamental security issue with pre-programmed manufacturer's security processes. SecurEnvoy do not hold token records as all required keys are created within the customers own security server when a user is enabled.
A hardware token may change its number every 60 seconds or when a button is pressed but if you have access to the token you have a valid number that can be used for a successful authentication. This is the same as an SMS message on a mobile phone with the difference that the SMS system only needs to change its number after every authentication rather than every 60 seconds. However, a mobile phone provides additional protection in that you will need to power it on, enter a PIN unlock code (in most cases) and search through various locations to find the relevant SMS message.
Both tokens and SecurEnvoy solutions can be disabled from the server end once the device has been reported missing. The question is which device would be reported missing first, a piece of plastic that is only used for remote access and the user has been forced to carry or their mobile phone that is very personal to them and frequently used. Consider a member of your staff going on holiday and having their token stolen at the airport. They are unlikely to miss this token until they next need to use it which could be many weeks or months. However if their phone is stolen they will realize this within hours and more importantly will make the effort to report it missing to prevent escalating costs.
Most hardware token vendors typically require the use of a 4-8 digit PIN that never changes. SecurEnvoy supports either a 4 to 8 digit PIN or reusing an existing domain password. Most customers prefer to use their domain password as their PIN. In most cases this is their Windows Password, which is usually 6-8 characters, alpha-numeric and changes every 30 days. Not only is this Password easier for the user to remember, it is more secure than a static 4-digit PIN that may not have changed in years.
From a security perspective, the hardware device in a Two-Factor authentication solution should be kept with the user at all times to keep it safe. A plastic token, which the user is forced to own and may only be used for occasional remote access connections will not be kept as secure as a mobile phone. Users are more likely to protect their phone and importantly will report it missing if stolen. If for any reason someone manages to retrieve a passcode from a user's phone they will still need to know the other factor, a PIN or Windows Password to logon. The hacker will only get one attempt at getting the PIN/Password correct at which point the system will generate a new passcode message alerting the real user to an illegal logon attempt, whereas with a token the user would never know if someone had tried to use one of the codes. Finally, many users leave their tokens in their laptop bag which is very much like gluing your car keys to your car, as opposed to a mobile phone which is almost certainly kept close to the user and separate from their laptop.