VeriSign VIP 2-Factor Network Opens to Mobile Devices

By Larry Seltzer  |  Posted 2009-04-21 Print this article Print

OPINION: Smart mobile devices have long been the holy grail of two-factor authentication. Now it's a lot easier to get one-time passwords into the hands of the work force and the masses.

Two-factor authentication is one of those computing developments that brings a clear benefit to a major problem, and which yet has had limited reach. What's holding it back? It turns out there are a lot of factors that limit one-time password tokens. But advances in VeriSign's VIP network should make the technology more accessible to everyone.

Most two-factor authentication systems are set up as private networks with a token provided to the user that contains the equivalent of a private key. Authenticating the token generates a code-sometimes known as an OTP (one-time password)-that the user enters along with the first factor, probably a password. The code is checked against the other key for authenticity. This proves that the user authenticating not only knows the password, but has possession of the token.

Corporations and governments have used these systems for many years to strengthen authentication of access to critical systems. In the consumer world, they have been discussed for a long time, but adoption has been scant.

Setting up such a system, distributing and managing all the tokens to users, and training the personnel to use them can be expensive. When users lose the tokens, you need to get them new ones. The VIP network is a public two-factor authentication network that services can use to strengthen their authentication processes. The provider sends a simple SOAP message to VeriSign to request an authentication and receives a yes/no response.

The client end, until just recently, required a VIP token as in other OTP schemes. Now the VIP client is available as software for mobile phones. You just run the VIP program on the device and it generates the code.

There are numerous advantages of this approach. First, you don't need to distribute and manage tokens anymore. As an enterprise, you may already be distributing phones, or you may allow employees to use personal phones. VeriSign supports the iPhone and BlackBerry (I tested it on my BlackBerry by buying something at eBay, which supports VIP authentication) and a long list of less-famous phones.

You don't need any special hardware at your service end, and the software for authentication is simple. Some time ago, VeriSign conducted a "developer test drive" with a free SDK for development on the server. Now it has added a similar effort for the client. As a result, you can easily add two-factor authentication directly into your apps, which can authenticate without any user activity. More information about the mobile client end of the VIP network can be obtained at

Using the phone as a second factor in exactly this way is something I have heard about from vendors, VeriSign included, for many years. It's almost a holy grail of two-factor authentication because it solves the token problem in a pretty elegant way. Why has it taken this long? I'm not sure, but then again I'm not sure why the VIP network, which has existed for many years, wasn't more popular with plain tokens. PayPal, as the biggest phishing target in the world, adopted the VIP network some time ago but hasn't really pushed it that hard.

I suspect the token problem has been a big one for PayPal and other potential customers of VIP. Using a smart mobile device and directly integrating OTP functions into apps should help to overcome those last serious problems. But will it be considered convenient enough to really push users into using two-factor authentication? It's going to help, but it's still not seamless enough to force people.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.


Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel