Posted by SecExtra on March 09th, 2008

In response to us wishing to know a bit more about where two-factor authentication systems are heading, Andy Kemshall from SecurEnvoy has kindly bestowed his thoughts upon us. Take it away Andy.

Although not new, when it comes to remote access, two-factor authentication hasn’t always kept pace with consumer demands. Users are no longer restricted to accessing corporate systems from their work PC. Today they can log in from anywhere, on any device, at any time - whether it’s from their home computer, an internet-enabled laptop in an airport, or from their Smartphone.

However, some methods for two-factor authentication remain impractical for use on anything other than a corporate device as smartcards require readers and local software, and even USB tokens need software to be installed on the remote PC or laptop before they can be used.

Tokens are a common method of two-factor authentication.  Whilst these allow authentication on any device, they are expensive to purchase and have costly administration overheads due to the management required, as well as the deployment and replacement of lost or broken units. They also require PIN administration and burden users with carrying additional devices. 

These factors are driving IT departments to look for alternative solutions that can provide the security levels of two-factor authentication, enable employees to use any remote machine, keep costs low and don’t require users to carry additional hardware.

One approach is to use mobile phones as a second authentication device. Current estimates show that there are over 80 million mobile phones in the UK, making it an ideal authentication device, but the range of phones and operating systems in use today is so diverse that installing software on them leads to significant support challenges.  It is unrealistic to expect helpdesk staff to be trained and have access to all mobile phones, so this approach only works if employees are limited to using just one or two types of phone.

A more practical approach, that isn’t dependent on the make and model of the phone is to use SMS to send the user a one-time passcode.  This method of two-factor authentication opens up the corporate network to legitimate users more than every before. In situations where employees are unable to get into the office, for example because of transport strikes, adverse weather conditions, terrorism or damage to the building from fire or floods, it was previously difficult to provide secure remote access to everyone.  Companies who might normally use tokens to authenticate their remote employees for example, might resort to allowing users to sign in over a VPN using just their Windows username and password, as it is not practical or cost-effective to deploy tokens to everyone. But letting the organisation’s security ‘guard’ down in a time of crisis simply isn’t an option, as this is often when it is most vulnerable.

By using mobile phones for two-factor authentication, organisations can easily enable secure remote access for all users.  Employees can be pre-registered for remote access, so the database of phone number will already exist, and the user can already have their first passcode sitting on their phone, just waiting until it is needed.

At a time when security threats are growing and mobile working is increasing in popularity, two-factor authentication to enable secure remote access is more important than ever. And with the new technology available to meet these demands, it is also easier than ever.