Two-factor authentication is one of those computing developments that brings a clear benefit to a major problem, and which yet has had limited reach. What's holding it back? It turns out there are a lot of factors that limit one-time password tokens. But advances in VeriSign's VIP network should make the technology more accessible to everyone.
Most two-factor authentication systems are set up as private networks with a token provided to the user that contains the equivalent of a private key. Authenticating the token generates a code-sometimes known as an OTP (one-time password)-that the user enters along with the first factor, probably a password. The code is checked against the other key for authenticity. This proves that the user authenticating not only knows the password, but has possession of the token.
Corporations and governments have used these systems for many years to strengthen authentication of access to critical systems. In the consumer world, they have been discussed for a long time, but adoption has been scant.
Setting up such a system, distributing and managing all the tokens to users, and training the personnel to use them can be expensive. When users lose the tokens, you need to get them new ones. The VIP network is a public two-factor authentication network that services can use to strengthen their authentication processes. The provider sends a simple SOAP message to VeriSign to request an authentication and receives a yes/no response.
The client end, until just recently, required a VIP token as in other OTP schemes. Now the VIP client is available as software for mobile phones. You just run the VIP program on the device and it generates the code.
There are numerous advantages of this approach. First, you don't need to distribute and manage tokens anymore. As an enterprise, you may already be distributing phones, or you may allow employees to use personal phones. VeriSign supports the iPhone and BlackBerry (I tested it on my BlackBerry by buying something at eBay, which supports VIP authentication) and a long list of less-famous phones.
You don't need any special hardware at your service end, and the software for authentication is simple. Some time ago, VeriSign conducted a "developer test drive" with a free SDK for development on the server. Now it has added a similar effort for the client. As a result, you can easily add two-factor authentication directly into your apps, which can authenticate without any user activity. More information about the mobile client end of the VIP network can be obtained at m.verisign.com.
Using the phone as a second factor in exactly this way is something I have heard about from vendors, VeriSign included, for many years. It's almost a holy grail of two-factor authentication because it solves the token problem in a pretty elegant way. Why has it taken this long? I'm not sure, but then again I'm not sure why the VIP network, which has existed for many years, wasn't more popular with plain tokens. PayPal, as the biggest phishing target in the world, adopted the VIP network some time ago but hasn't really pushed it that hard.
I suspect the token problem has been a big one for PayPal and other potential customers of VIP. Using a smart mobile device and directly integrating OTP functions into apps should help to overcome those last serious problems. But will it be considered convenient enough to really push users into using two-factor authentication? It's going to help, but it's still not seamless enough to force people.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.