Microsoft Acquires PhoneFactor to Boost Mobile App Security

PhoneFactor, a company that delivers two-factor security authentication for mobile phones, has been acquired by Microsoft to enhance security for business mobile applications.

Microsoft has acquired mobile security provider PhoneFactor for its two-factor authentication technology to protect business applications that enterprises deploy on smartphones for employees and customers.

PhoneFactor, founded in 2001, already works with many Microsoft products and services, including Outlook Web Access, Internet Information Services and Active Directory. Over time, it could also interoperate with Office 365, the cloud-delivered version of Microsoft’s Office productivity software suite, the companies said. Terms of the acquisition were not disclosed.

“With Microsoft’s product breadth and distribution reach, it will be possible to bring the benefits of PhoneFactor to a broader set of customers, partners and developers than we could as a stand-alone company,” wrote Timothy Sutton, PhoneFactor’s CEO, in a blog post. “And as part of Microsoft, we will work to improve the interoperability and ease of use of our solutions.”

Two-factor authentication is an IT security feature that gives a user access to a company application or Website if they are successfully authenticated using two of three factors. The three authentication methods are based on what you know, what you have or who you are.

What you know refers to a common security measure in which a person enters a user name and password onto their device, such as a PC, smartphone or tablet. What you have refers to devices like a smartcard, a USB thumb drive or an encryption token that the device can recognize as a valid ID. Who you are refers to a method of identifying a person by fingerprints, a retina scan or voice recognition.

The idea behind two-factor authentication is that while it may be possible for a hacker to guess or steal someone’s user name and password, it would be more difficult for them to obtain either of the other two authentication factors.

PhoneFactor has been a Microsoft partner since at least early 2011, when Microsoft identified PhoneFactor technology as an element of its HealthVault platform for securing applications used in the health care and health insurance industries. Health care companies are bound by the U.S. Health Insurance Portability and Accountability Act (HIPAA), which requires strict security and privacy protection of patient health and insurance information.

"The acquisition of PhoneFactor will help Microsoft bring effective and easy-to-use multifactor authentication to our cloud services and on-premise applications," said Bharat Shah, corporate vice president for the Server and Tools Division at Microsoft, in a statement. "In addition, PhoneFactor's solutions will help Microsoft customers, partners and developers enhance the security of almost any authentication scenario.”

For now, PhoneFactor will continue to operate separately from Microsoft, including providing PhoneFactor support for non-Microsoft products, PhoneFactor noted in a Q&A page on its Website.

However, in the future, it’s likely PhoneFactor will be sold using Microsoft’s Volume Licensing contracts, but PhoneFactor was not specific on when that might happen.

PhoneFactor will continue to provide support for its products and services but customers who have an existing support contract with Microsoft cannot extend that support to include its PhoneFactor solutions.