Pretty much everyone in the security world agrees that two-factor authentication is the way to go when it comes to protecting access to corporate resources such as VPNs, Web mail, and sensitive Web applications and data. Basing access on something a user knows (such as a user name and password) and something the user has (such as a fingerprint) provides much higher security than any system that relies on the very weak security of the one-factor standard of user names and passwords.
However, the problem is that while everyone agrees that two-factor authentication is more secure, many businesses, especially smaller ones, struggle with the cost and complexity of maintaining standard two-factor systems that rely on smart cards, tokens or biometrics.
Attempting to solve both the problems of cost and complexity is a new service called PhoneFactor. The cost solution is very simple in that the base PhoneFactor service is free. And PhoneFactor addresses the complexity issue by not relying on biometrics, tokens or smart-card systems that require special hardware and can be time-consuming to manage.
Instead, the second factor that PhoneFactor uses is, not surprisingly, the telephone. Using the PhoneFactor service, businesses can add two-factor security to VPNs, Web applications or any system that supports RADIUS with very little upfront work and without having to provide any special hardware to users. And in my tests PhoneFactor worked so well and so easily that I am awarding it an eWEEK Labs Analyst's Choice.
To test PhoneFactor, I set up an account for eWEEK Labs and downloaded the PhoneFactor Windows agent application. Upon launching, the program asked what I wanted to secure (VPN, Citrix Web Interface, Outlook Web Access, Web site or other) and after choosing Web site I was quickly up and running. From the agent's Window console I could pull users from my Active Directory or enter users manually. After adding the users, I simply entered a phone number for each user and then enabled them for PhoneFactor authentication.
When a user accessed the application I had protected with PhoneFactor, he or she first entered a user name and password. PhoneFactor then called the user's phone and prompted the user to hit the pound button to complete authentication. Once this was completed the user had access to the application.
I was very impressed with how simple and elegant this solution proved to be. Along with the Windows agent console, PhoneFactor also provides a Web-based management console (of course protected by PhoneFactor).
When compared to managing a traditional hardware or biometric-based solution, the PhoneFactor service really makes sense. Since no special reader hardware is required, users can access applications from any system. Also, if a user loses the phone, it's a simple matter to change the number in that account, which is much easier than having to send out a new token or smart card.
While the PhoneFactor agent is Windows only, PhoneFactor does provide several SDKs for installing the service on Linux and Unix systems. These aren't as simple as the agent and require some system tweaking to get working. Also, the readme files and samples weren't that in-depth, meaning many businesses may seek support when installing the SDKs.
And support is one of the areas where PhoneFactor's maker, VPN solution provider Positive Networks, hopes to make money from this service. Businesses needing support will have to pay for that service. Other capabilities that aren't provided as part of the free service but can be upgraded to for a fee include customizing the message on the authentication phone call and more advanced management and integration options.
Given the ease of implementation and the simplicity of the solution itself, I think any business that is at all interested in the improved security that two-factor authentication provides should definitely test out the free PhoneFactor service. For more information and to download the agent, go to www.phonefactor.net.