It was last month when Yahoo announced on-demand passwords. According to Yahoo, this new approach is intended to create a secure access environment, without the necessity of remembering a password.
“This is the first step to eliminating passwords,” Dylan Casey, Yahoo’s Vice President of Product Management for Consumer Platforms, as noted by Richard Nieva of CNET, “I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.”
Yahoo sends users these passwords through their mobile phone, by way of SMS. This offers roughly the same level of security as hard tokens; both help eliminate the opportunity for someone to make a copy of the Second Factor Device (SFD). All of this is done in the name of security and simplicity. While those two words amalgamated into a unified concept is ideal, is this the best avenue to follow?
How could someone take advantage of one-time passwords (OTP) via SMS?
- Lost or Stolen Phones – though we would like to think that a Good Samaritan will return our property untainted, it’s not always the case. There are some “not-so-good” Samaritans that will seize the opportunity to cash in on a “free phone” or “free data”; especially if it wasn’t properly locked in the first place.
- Home Screen Notifications – Some idle smartphones will display the most recently received messages, even from a locked screen. Hypothetically, an individual could gain access by a mere glance, without the true owner’s knowledge, that is, until it’s too late.
- False Cell Towers – There have been reported risks and serious architectural concerns about rogue femtocells being used to intercept voices calls and text messages. Similar to malware, someone could get access to an on-demand password before the intended recipient.
While simplifying account access is ideal, the security of the actual account should take precedence. It can be argued that an on-demand password may be beneficial, in a public computer setting – especially so if a keylogger is waiting and listening. But having said that, the on-demand option should be used as a temporary alternative, not a separate option. TK Keanini, CTO of Lancope shared his thoughts about the increasing need to properly manage mobile security with Infosecurity.
“While only leveraging a single factor (something you have – your phone), the security of the system will depend on how secure that device remains over time” That security, must start at the mobile device level; the endpoint.
Two-factor authentication still offers superior protection for accounts, especially when we are talking about cloud services and personal e-mail that employees often use to transfer work files for access at home. A much more reliable option is to do away with OTP hardware tokens and text messaging altogether and transform a smartphone into a security token itself. What to consider with this method:
- Take a hybrid approach to VPN authentication with on-premise software partnered with encryption.
- Provide various authentication levels for each user group. Not every group/individual needs to have the same type of access.
- Determine how much to invest in support and hardware. Permit already existing smartphone to double as a hardware token to keep the implementation costs low.
VPN Authentication by BlackBerry offers steadfast protection, with PKI-based, two-factor authentication and transforms your existing smartphone into an access pass to your company’s VPN, regardless of whether the managed smartphone is running BlackBerry, Android or iOS. This solution eliminates the necessity of receiving and entering in OTP and/or PINs while utilizing a smartphone as a stronger, yet more versatile second factor authentication. That, right there, is a true example of usable enterprise-grade security.