Future of two-factor authentication

UK: Two-factor authentication is not a new idea. It has grown in popularity with the increase in Internet-facing services. However, it is in the area of remote access that two-factor authentication tools have not always kept pace with consumer demands.

Some methods for two-factor authentication are not practical for use on anything other than a corporate device: smartcards require readers and local software, and even USB tokens need software to be installed on the remote PC or laptop before they can be used.

Another common method of two-factor authentication is the use of tokens, which do have the advantage of allowing authentication on any device. However, they are expensive to purchase and have costly administration overheads with the management that is required, as well as the deployment and replacement of lost or broken units. They also require PIN administration and burden users with carrying additional devices.

All these factors are driving corporate IT departments to look for a new solution that can provide the security levels of two-factor authentication, enable employees to use any remote machine, keep costs low and doesn’t require users to carry additional hardware with them.

One simple answer has been to use mobile phones as a second authentication device. Current estimates show that there are over 80 million mobile phones in the UK. This makes the humble mobile phone ideal as an authentication device, but the problem is how?

One approach is to install software on a mobile phone. The range of phone types and operating systems in use today is so diverse that it leads to significant support challenges.  It is unrealistic to expect helpdesk personnel to be trained and have access to a vast range of mobile phone devices. In general, this approach can only work if employees are limited to using just one or two types of phone.

A more practical approach, and one that is growing in popularity, is to use SMS, that isn’t dependent on the make and model of the phone, to send the user a one-time passcode. The one potential downside to using SMS for two-factor authentication is found with systems that send users a passcode in real time as they are in the process of logging on to a site, when they are then vulnerable to delays in the SMS network.

However, if users are sent their initial passcode as soon as they are enrolled, and then as soon as one code is used it is immediately replaced with the next one, the problem of SMS delays is resolved.

This method of two-factor authentication for remote access opens up the corporate network to legitimate users more than every before. In situations where employees are unable to get into the office, for example as a result of transport strikes, adverse weather conditions, terrorism or damage to the actual building from fire or floods, it was previously difficult to provide secure remote access to everyone.

Many companies, who might normally use tokens to authenticate their remote employees for example, might resort to allowing users to sign in over a VPN using just their Windows username and password, as it is not practical or cost-effective to deploy tokens to everyone. However, letting the organization’s security ‘guard’ down in a time of crisis simply isn’t an option, as this is often when the company is most vulnerable.

By using mobile phones for two-factor authentication, businesses can easily enable secure remote access for all users with just a flick of a switch. The employees would have been pre-registered for remote access using their phones, so the database of phone number will already be in existence, and the user will already have their first passcode sitting on their phone, just waiting until it is needed.

At a time when security threats are growing and mobile working is increasing in popularity, two-factor authentication to enable secure remote access is more important than ever. And with the new technology available to meet these demands, it is also easier than ever.

The author is associated with SecurEnvoy, UK.