OPINION: Smart mobile devices have long been the holy grail of two-factor authentication. Now it's a lot easier to get one-time passwords into the hands of the work force and the masses.
Two-factor authentication is one of those computing developments that brings
a clear benefit to a major problem, and which yet has had limited reach. What's
holding it back? It turns out there are a lot of factors that limit one-time
password tokens. But advances in VeriSign's VIP network
should make the technology more accessible to everyone.
Most two-factor authentication systems are set up as private networks with a
token provided to the user that contains the equivalent of a private key. Authenticating
the token generates a code-sometimes known as an OTP (one-time password)-that
the user enters along with the first factor, probably a password. The code is
checked against the other key for authenticity. This proves that the user
authenticating not only knows the password, but has possession of the token.
Corporations and governments have used these systems for many years to
strengthen authentication of access to critical systems. In the consumer world,
they have been discussed for a long time, but adoption has been scant.
Setting up such a system, distributing and managing all the tokens to users,
and training the personnel to use them can be expensive. When users lose the
tokens, you need to get them new ones. The VIP
network is a public two-factor authentication network that services can use to
strengthen their authentication processes. The provider sends a simple SOAP
message to VeriSign to request an authentication and receives a yes/no
The client end, until just recently, required a VIP
token as in other OTP schemes. Now the VIP
client is available as software for mobile phones. You just run the VIP
program on the device and it generates the code.
There are numerous advantages of this approach. First, you don't need to
distribute and manage tokens anymore. As an enterprise, you may already be
distributing phones, or you may allow employees to use personal phones.
VeriSign supports the iPhone and BlackBerry (I tested it on my BlackBerry by
buying something at eBay, which supports VIP
authentication) and a long list of less-famous phones.
You don't need any special hardware at your service end, and the software
for authentication is simple. Some time ago, VeriSign conducted a
"developer test drive" with a free SDK for development on the server.
Now it has added a similar effort for the client. As a result, you can easily
add two-factor authentication directly into your apps, which can authenticate
without any user activity. More information about the mobile client end of the VIP
network can be obtained at m.verisign.com.
Using the phone as a second factor in exactly this way is something I have
heard about from vendors, VeriSign included, for many years. It's almost a holy
grail of two-factor authentication because it solves the token problem in a
pretty elegant way. Why has it taken this long? I'm not sure, but then again
I'm not sure why the VIP network, which has
existed for many years, wasn't more popular with plain tokens. PayPal, as the
biggest phishing target in the world, adopted the VIP
network some time ago but hasn't really pushed it that hard.
I suspect the token problem has been a big one for PayPal and other
potential customers of VIP. Using a smart
mobile device and directly integrating OTP functions into apps should help to
overcome those last serious problems. But will it be considered convenient
enough to really push users into using two-factor authentication? It's going to
help, but it's still not seamless enough to force people.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.