PhoneFactor Makes Security Tokens Obsolete
Touring the show floor at Interop Las Vegas gives one a chance to see some fun marketing ideas, cool new ideas, simple new ideas and meet interesting people with passion about their vision. Two such people I met at the show (there were dozens – more than at any other I've been to in the past six or seven years) were Dan Chmielewski (left) principal of Madison Alexander PR and Jason Sloderbeck, VP Service Delivery for Positive Networks (right).
Jason and I connected pretty quickly – his experience in broadband data networking at Sprint in the latter 1990s coincided roughly with products and services of my neighbor in Allen TX. As it turns out, many of the leadership team of the company, Positive Networks are former Sprint Broadband executives who had founded the company in 2001 as a Software-as-a-Service for network security and in particular remote access.
Although a valuable offering for many enterprises and an impressive customer list, I was most jazzed about the PhoneFactor. This patent-pending method is designed to overcome the shortcomings of more established two-factor methods.
Strong authentication techniques combines something you have with something you know.
The EMC RSA SecureID fob is a server software that is integrated with the authentication server and a user clock that changes its six digit number every ten seconds. Users submit their login credentials and are then challenged by the server for their token response. Typing in and submitting the number displayed authenticates the user.
The aggressive competitor, Entrust IdentityGuard is a two factor method that uses a pre-printed wallet card instead of a digital dongle or fob as the item you have. The server challenges the user and the user looks up the appropriate response and reports it to authenticate.
The PhoneFactor similarly integrates a server software with the authentication mechanism of the application to be protected. Attempting to login generates a call request to the Positive Networks server which looks up your appropriate telephone number. The challenge is delivered by the telephone through the extensive VoIP network of Positive Networks. Your phone rings and you are told that Positive Networks is calling and are asked to authenticate. In some implementations it might be appropriate to hit the # sign and hang up. In other implementations a PIN may be required to be entered.
It is expected that users will tend to prefer to use their mobile telephone in this method.
I think back to my own experience with the SecureID card at a high tech manufacturer. I constantly lost the little fob, or broke it. At one point I asked my authentication administrator for a stack of pre-addressed mail back envelopes to improve my productivity. The ability of the PhoneFactor to simply use my mobile phone (something I already have with me) greatly improves the likelihood of a successful authentication. In fact, I can lose my cell phone, but because it's the number that authenticates, simply replacing the phone and keeping the number means I can still authenticate to my network and services.
More importantly, the pricing for the service is designed to disrupt the authentication market – it's free. Monetization comes with features like support.
This is certainly one of the most compelling security highlights of Interop 2007.
This post has already been read 0 times!