TRY SMS PASSCODE LIVE IN THE LAB
Two-factor Security
Two-factor security describes any authentication mechanism that requires two components to identify and authenticate a user. The two components of two-factor authentication are simply:
1) Something you know in the shape of user name and password
2) Something you have in the shape of a mobile phone
Traditional security schemes used username and password pairs to authenticate a user. This method produces a minimum level of security, since usernames and passwords are easily guessed or intercepted. In two-factor authentication, the password still furnish the "something you know" component where as the "something you have" component, usually is provided by a hardware device, such as a token or a mobile device that has a software token or a SMS token. SMS PASSCODE® replaces the hardware, software and even pre-issued SMS based token devices with a real-time, challenge- and session specific two-factor authentication using your cell phones SMS Text messaging system. This enables a a new generation solution that is fast to deploy and more secure.
To illustrate this, first you need to look at the old technologies. One of these devices is the token-device. It is a little piece of hardware that displays a one-time code, which is in sync with the system, that it provides access for. When the user enters this code the system will recognize the possession of that unique token and pair this with username and password to authenticate the user. The code is either a valid-till-used code or a code that changes every minute or so. Sometimes, these tokens are seen as software tokens or softtokens that are installed on mobile phones requiring extensive support of new operating systems and user errrors. Even for the SMS tokens that are based on this pre-calculated method has a time window or a "validt until used" window opening it up for phishing from advanced threats on the internet (see more about the Zeus malware on our blog).
Other older technologies leveraging two-factor authentication can also be implemented in the form of a certificate. A certificate is a digital key. Usually stored on a users hard drive as a “something you have” component that allows access when correctly paired with a username and password. The downside to this solution is that certificates just like passwords are easily stolen or intercepted. Due to this limitation, most two-factor authentication systems today, draw on token-devices. However, imagine the difficulties these hardware-tokens represent in the near future, where two factor is used for both employee logins, online banking systems or public services, online shops and web based services at large. Management, deployment and the need for a user to carry a batch of tokens makes this approach impractical.
SMS PASSCODE® offers a world leading technology to deal with these shortcomings by reducing the need to a single, network connected device – the users mobile phone. The solution enables a session specific log-in process that validates the specific user ID and password against a session specific one-time code sent to the users mobile phone. In other words, when a user logs into a system, SMS PASSCODE© checks if User ID and Password match, then sends a passcode to the users mobile phone, verified against the log-in session and if cleared, passes through the user. Tokens and other solutions that do not deploy this deep level of challenge/session and message based security used in SMS PASSCODE®; are easy targets for today’s identity hackers.
1) Something you know in the shape of user name and password
2) Something you have in the shape of a mobile phone
Traditional security schemes used username and password pairs to authenticate a user. This method produces a minimum level of security, since usernames and passwords are easily guessed or intercepted. In two-factor authentication, the password still furnish the "something you know" component where as the "something you have" component, usually is provided by a hardware device, such as a token or a mobile device that has a software token or a SMS token. SMS PASSCODE® replaces the hardware, software and even pre-issued SMS based token devices with a real-time, challenge- and session specific two-factor authentication using your cell phones SMS Text messaging system. This enables a a new generation solution that is fast to deploy and more secure.
To illustrate this, first you need to look at the old technologies. One of these devices is the token-device. It is a little piece of hardware that displays a one-time code, which is in sync with the system, that it provides access for. When the user enters this code the system will recognize the possession of that unique token and pair this with username and password to authenticate the user. The code is either a valid-till-used code or a code that changes every minute or so. Sometimes, these tokens are seen as software tokens or softtokens that are installed on mobile phones requiring extensive support of new operating systems and user errrors. Even for the SMS tokens that are based on this pre-calculated method has a time window or a "validt until used" window opening it up for phishing from advanced threats on the internet (see more about the Zeus malware on our blog).
Other older technologies leveraging two-factor authentication can also be implemented in the form of a certificate. A certificate is a digital key. Usually stored on a users hard drive as a “something you have” component that allows access when correctly paired with a username and password. The downside to this solution is that certificates just like passwords are easily stolen or intercepted. Due to this limitation, most two-factor authentication systems today, draw on token-devices. However, imagine the difficulties these hardware-tokens represent in the near future, where two factor is used for both employee logins, online banking systems or public services, online shops and web based services at large. Management, deployment and the need for a user to carry a batch of tokens makes this approach impractical.
SMS PASSCODE® offers a world leading technology to deal with these shortcomings by reducing the need to a single, network connected device – the users mobile phone. The solution enables a session specific log-in process that validates the specific user ID and password against a session specific one-time code sent to the users mobile phone. In other words, when a user logs into a system, SMS PASSCODE© checks if User ID and Password match, then sends a passcode to the users mobile phone, verified against the log-in session and if cleared, passes through the user. Tokens and other solutions that do not deploy this deep level of challenge/session and message based security used in SMS PASSCODE®; are easy targets for today’s identity hackers.