OPINION: Smart mobile devices have long been the holy grail of two-factor authentication. Now it's a lot easier to get one-time passwords into the hands of the work force and the masses.
Two-factor authentication is one of those computing developments that brings
a clear benefit to a major problem, and which yet has had limited reach. What's
holding it back? It turns out there are a lot of factors that limit one-time
password tokens. But advances in VeriSign's VIP network
should make the technology more accessible to everyone.
Most two-factor authentication systems are set up as private networks with a
token provided to the user that contains the equivalent of a private key. Authenticating
the token generates a code-sometimes known as an OTP (one-time password)-that
the user enters along with the first factor, probably a password. The code is
checked against the other key for authenticity. This proves that the user
authenticating not only knows the password, but has possession of the token.
Corporations and governments have used these systems for many years to
strengthen authentication of access to critical systems. In the consumer world,
they have been discussed for a long time, but adoption has been scant.
Setting up such a system, distributing and managing all the tokens to users,
and training the personnel to use them can be expensive. When users lose the
tokens, you need to get them new ones. The VIP
network is a public two-factor authentication network that services can use to
strengthen their authentication processes. The provider sends a simple SOAP
message to VeriSign to request an authentication and receives a yes/no
The client end, until just recently, required a VIP
token as in other OTP schemes. Now the VIP
client is available as software for mobile phones. You just run the VIP
program on the device and it generates the code.
There are numerous advantages of this approach. First, you don't need to
distribute and manage tokens anymore. As an enterprise, you may already be
distributing phones, or you may allow employees to use personal phones.
VeriSign supports the iPhone and BlackBerry (I tested it on my BlackBerry by
buying something at eBay, which supports VIP
authentication) and a long list of less-famous phones.
You don't need any special hardware at your service end, and the software
for authentication is simple. Some time ago, VeriSign conducted a
"developer test drive" with a free SDK for development on the server.
Now it has added a similar effort for the client. As a result, you can easily
add two-factor authentication directly into your apps, which can authenticate
without any user activity. More information about the mobile client end of the VIP
network can be obtained at m.verisign.com
Using the phone as a second factor in exactly this way is something I have
heard about from vendors, VeriSign included, for many years. It's almost a holy
grail of two-factor authentication because it solves the token problem in a
pretty elegant way. Why has it taken this long? I'm not sure, but then again
I'm not sure why the VIP network, which has
existed for many years, wasn't more popular with plain tokens. PayPal, as the
biggest phishing target in the world, adopted the VIP
network some time ago but hasn't really pushed it that hard.
I suspect the token problem has been a big one for PayPal and other
potential customers of VIP. Using a smart
mobile device and directly integrating OTP functions into apps should help to
overcome those last serious problems. But will it be considered convenient
enough to really push users into using two-factor authentication? It's going to
help, but it's still not seamless enough to force people.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.