There’s a website we all know that offers a "Security Key" to provided an added layer of security, beyond the email address and password. While this is great in principle, it is undermined by giving users a way around it if they "lose" their Key. PhoneFactor, on the other hand, is a lot harder to lose and abuse.
The Security Key I’m thinking of displays a 6-digit number that changes every 30 seconds or so. The website at which you type the number code knows what number your key is supposed to be showing, so it knows when you type in the right number. To the rest of us, the numbers appear to be totally random and the next number can’t be figured out based on the numbers that have been shown so far. That’s a good layer of security because if you type in the right number, it’s pretty clear you must be holding the Security Key. A hacker around the world might fool someone into giving their email address and password (phishing) but if the website then demands a 6-digit code, they don’t have it.
If it ended there, I would be a big fan of the Security Key and I’d buy one. But it doesn’t end there. The website has to handle the predictable case that someone will lose their Security Key. The website I’m thinking of has the answer in their FAQ. If you lose your Key, you can still log in, they’ll just ask some security questions. What kind of question would that be? Typically, they are "What’s your mother’s maiden name?" or "What’s the last 4 digits of your credit card?".
Now those are answers that are in reach of hackers half-way around the world! My mother’s maiden name is no secret. A hacker that can trick someone into giving their password on a phishing site might also trick them into entering the credit card they use. The difficulty of getting these answers is much much less than the difficulty of guessing a continually changing 6-digit number. So in the end, the layer of protection added by the Security Key is no better than the layer of protection added by typing in answers to "security questions".
Take a look at PhoneFactor now.
Step 1: Enter your usual username and password.
Step 2: Instantly, you receive a phone call. Answer and press #.
A hacker around the world can’t press # on your phone, so they can’t use your account. It’s a lot harder to lose your telephone than a Security Key and if you do, you’ve got a lot more motivation to replace it anyway and not just switch to "security questions". So there are three real benefits to chosing PhoneFactor:
1) You don’t have to buy a Security Key,
2) You don’t have to carry around a Security Key, and
3) The website doesn’t need a weaker substitute that neuters the whole system.
I’d rather enter a pin code on the phone rather than just #. Seems to me that you stand as much, if not more chance of having a mobile stolen as a token. Anyone can press # on a stolen phone just as anyone can type in the numbers on a stolen token.
And yes I would ensure that the pin and the site passowrd are different (Would you need both??)
And just one question – Which is more cost effective? All those phone calls to mobiles vs the cost of a token?
If you lose your phone or your battery is dead or you don’t have coverage you can’t log on? Or, the bank lets you in if you answer some questions that “all the hackers have.” Same as SecureId.
Ever hear of cloned phones? The hacker clones your phone and had your id.
Actually this is the “same” solution as SecureId, not different. It is weaker than SecureId however because you can have cloned phones but not cloned SecureId tokens.
don
I also stopped by the site, and will have to agree with don. I was initially exited about the prospect of using my phone, but suddenly realized that cell phones are cloned off like hotcakes in some regions. Landlines may be better but with the right equipment you can tap into those too.
In my use of the card tokens over the years (in three different forms now) they’ve gotten better in design, encouraging you to make them part of your keychain life (and therefore more likely not to lose them). The latest model – my 4th I think – is no bigger than a USB stick and is definitely designed to be the primary ‘head’ of a keychain.
I fully admit they’re starting to get old – after all, I’ve been carrying these around for over 8+ years now – and they’re going to have to look at stronger models soon (perhaps 8 character one-time pads). But I think today’s models are at the point where you’re not readily advertising to the world that you have one.
SM -> I suspect that will depend on the cell plan that your business has. Some folks who have phones in our company (for the once-a-month quick question), it’s cheaper to hand out the fobs. Some (like me) would be the phone for certain, but for security and TCO sake we would keep to the fobs.
–Tim K.
Does anyone have any comments on the PhoneFactor benefit of the feedback loop not going through the web page? In other words, is it beneficial that the telephone network is the channel returning the 2nd authentication (vs typing it into the browser)? If so, a pin entry on the phone could be quite beneficial.
I just read an article on the Wall Street Journal’s MarketWatch site about this. They quoted a Gartner Group VP: “‘Telephone is the most logical out-of-band channel because it’s not in the same PC band,’ she explains. But be sure, she warns, that you confirm the transaction over the telephone — not through your PC. ‘PCs are becoming more and more insecure.’” A SecurID token just gets typed right back into the hacked PC.
The cloned cell phone argument is silly: Even the FCC states, “For cell phone cloning fraud, the cellular equipment manufacturing industry has deployed authentication systems that have proven to be a very effective countermeasure to cloning.” It is almost impossible to do on the current digital networks unless you steal the phone itself or have direct access to the LOCAL cell tower used by that phone. And then you need to know your target’s cell phone number (unpublished), their banks, their user name and password, etc. And if they have a PIN they use on the phone, then even the one-in-a-billion cloning is worthless: You can’t used a cloned phone at the same time as the original (on inbound calls the carrier defaults to the phone it can find the quickest) and the cloned phone doesn’t hear ANYTHING picked up by the other phone – it’s not like multiple home phones on the same land line. Your average Romanian hacker isn’t quite that sophisticated – or desperate or stupid enough to travel to Kentucky in hopes of stealing your cell information out of thin air. Oh, and apparently this solution works with land lines too – don’t hear much about those getting cloned.
I found it amusing that WIRED magazine just listed SecurID cards (and pictured the token too) as one of the “Worst Gadgets Ever.” I am definitely digging the phone as a great alternative – and replacement.
kev
Excellent info Kevin. Other than out of band benefits, are there other enhanced security benefits for token-less solutions like phonefactor? There seem to be a good range of cost benefits, but I’m interested in making arguments to my boss and customers why the authentication solution is superior.
One is, with one of the paid solutions, you can replace the “#” response on the phone with a pin id. You can essentially duplicate the first factor (i.e., what you know) through both authentication channels
One thing Kevin is saying without saying it is that there is phishing protection with phonefactor and other Out of Band services. You can’t sniff key strokes and you can’t phish for passwords if the information isn’t going into the network through the browser and pc.
Gotta hand it to phonefactor (and all phone based 2 factor authentication schemes) for radically shifting the benefit-inconvenience ratio. 2 factor is generally a lot less convenient with only moderate benefits. This seems to be only a little less convenient with a lot of significant benefits.
I may be shallow, but cost brought me in the door. I needed something I could try for free, Phonefactor has a free version. The razor and blades trick is to get you in the door then soak you, but it turns out the free version is all I need. I support about 35 terminal services users, scattered around, the version I have works just fine, no need to upgrade to paid version. They even pay for the phone call.
Excellent info Kevin, though One thing Kevin is saying without saying it is that there is phishing protection with phone factor and other Out of Band services.
Excellent info Kevin, though One thing Kevin is saying without saying it is that there is phishing protection with phone factor and other Out of Band services.
We’ve been using it for terminal services, has worked out well, http://www.phonefactor.com/terminalservices
We’ve been using it for OWA Authentication and have been pretty satisfied. The agent is at http://www.phonefactor.com/solution/corporate-email.
We’re considering the OWA implementation. What’s so great about it?
“Beyond this Complaints that the life lock is lose “ID theft protection service” ,Life lock always improve protection quality, improve protection services each and every time, if you getting more knowledge visit this site it is updated and information site I hope you getting good knowledge. http://www.identitytheftprotectionlock.com/
”