Profile: PhoneFactor – a free twist to two-factor authenticationby Steve Ragan - Nov 3 2009, 01:33
PhoneFactor – a free twist to two-factor authentication
Recently, we talked to a company that covers security from a different perspective. They offer a service that enables two-factor authentication with a device that almost everyone on the planet has, a cellular phone. While others can offer this service as well, this company starts with a free offering, and then as a business grows, they can pay to add more coverage.
PhoneFactor is a two-factor authentication security provider based in Overland Park, Kansas. The main point behind PhoneFactor is that people tend to lose the tokens and other items associated with two-factor authentication solutions. At the same time, almost everyone has a cellular phone.
The process for using PhoneFactor’s service is simple. A user starts by entering their username and password on a given site. Once they start to login, they will get a call on their phone and need only to press #, or enter a pre-defined PIN, to confirm their identity. Once the identity is confirmed, thanks to the PhoneFactor agent working in the background, the process is complete and the user is fully authenticated.
The PhoneFactor agent will allow integration into VPN services, RADIUS, Outlook Web Access, Citrix, SSO systems, as well as LogMeIn. However, they also offer an SDK for developers to tie the service into almost any application. The SDK is available for ASP.NET (VB and C#), Java, Ruby, Perl, and PHP.
To use the service, all one needs to do is register. Businesses with 25 seats or less will not be charged for usage. (This is limited to 30 calling zones listed here. Any business outside those zones can register and get a $5.00 USD credit added to their account for a trial period.)
PhoneFactor is interesting to us for two reasons. The first is the ability to add two-factor authentication to any given application without the need to re-code things from scratch. This is where the SDK and agent sing. The other interesting aspect is that they essentially give the service away to SMBs.
A company who needs this level of authentication security would spend thousands on a solution, a level of funding that isn’t always available. Granted, the free version is limited on some areas, but the basics are covered, and for some organizations this will help.
So why then, would a business care about or invest in this? In a recent PhoneFactor survey, 72-percent of the 250 IT professionals surveyed said that usernames and passwords were not enough to protect access to corporate data. While the survey could appear biased, the fact that IT professionals understand usernames and passwords alone are not enough is the takeaway point.
Security needs layers to work. Two-factor authentication is just one of the many layers available to businesses. Using a phone over a USB token or other two-factor device just seems like a simple way to hook into this layer of protection. There are compliance issues, PCI-DSS 8.3 comes to mind here, but security for the sake of compliance alone often never works.
There is the Malware angle of security as well. One of the things PhoneFactor talks about is how this level of protection will stop Malware aimed at financial transactions for any given business. To back this claim, they mention the SilentBanker Trojan, first seen in 2007 as a direct attack on online banking, and Clampi, which infected close to half a million computers earlier this year.
“This particular Trojan is targeting businesses, not consumer banking, in hopes of gaining accesses to higher balance accounts. And it circumvents security tokens and one-time-password technologies designed to protect online banking users. The best method of protection against these threats is out-of-band authentication, which verifies a user’s identity through a separate channel,” a PhoneFactor statement on Clampi explains.
For small business with one or two applications that could use the boost in security, the free offering is worth a look. If you need more than two, test the free service and then reach out to PhoneFactor for a quote. The actual cost will depend on the number of seats.
In the end, when we heard about PhoneFactor, we figured what they offered was worth sharing. If you are a current customer, or have tried their service, leave us a comment and let others know what you think.