Why SMS-Based Authentication is Superior to Security Tokens
Subscribe to RSS FeedWednesday, 22. June 2011
Munich, Germany, June 22, 2011 - In recent weeks the IT security provider RSA has made the headlines with its admission, in a letter to customers, that hackers had managed to penetrate some of its servers. A June 14 article in the German IT journal Computerwoche noted that damage resulting from the attack was more serious than initially thought and described the vulnerability of token-based systems that are designed to authenticate user access to protected IT resources. This may be less of a problem for consumers, but for companies and public authorities it is a serious security issue. These organizations need local authentication mechanisms that go beyond a simple password and ensure that unauthorized users never have access to confidential information.
Tokens work in conjunction with factory encoded random keys ("seeds") to generate one-time use passwords at fixed intervals, usually every 60 seconds. Since these keys are mapped to their tokens before use, if they are stolen they can be used to replicate the one-time passwords independently, effectively removing the second factor of a two-factor authentication structure. Another issue with this technology, which has been around for years and is now being overtaken by newer technologies, is the time-consuming and costly administration of the hardware tokens. Each token has to be registered on the authentication server and allocated to a specific user. Also, the tokens tend to get lost easily, opening up an additional security vulnerability until it has been blocked at the server level. The recent case also shows that the tokens can be hacked and need to be replaced - a procedure that is both complex and extremely expensive.
A viable alternative is SMS-based authentication, which is secure while remaining easy to manage and relatively inexpensive. Comments Markus Seyfried, CTO at Brainloop: "To give enterprise users secure access to business-critical information, we offer companies a different kind of two-factor authentication. It comprises a user name and password along with a one-time PIN generated in real-time and texted to the user's cell phone. The PIN is only valid for a single session in the secure data room and expires after a definable length of time." Also, users tend to notice the loss of their cell phone very quickly and can react by remotely blocking the SIM card. As a result, mobile devices are more flexible and a secure part of the data protection infrastructure than token technology.
An overview of Brainloop's security features is available at:
http://www.brainloop.com/products/security-features.html
ABOUT BRAINLOOP
Brainloop, with offices in Boston and Munich, uses document compliance management (DCM) to make online collaboration safe and compliant, giving users the peace of mind to focus on their business goals. Brainloop's web based solution automatically manages security and compliance, allowing highly confidential documents to be easily edited and distributed inside and outside the corporate network. Encryption and operator shielding protect all documents from insider threat and external attacks, pro-viding a highly secure collaboration framework. The solution enables the complete transparency and auditability of all accesses and changes to documents, supporting corporate and regulatory com-pliance directives. Frequent uses include contract negotiations, collecting data and writing up quarterly reports, and any other communication that contains confidential information. To learn more, visit http://www.brainloop.com.
PRESS CONTACT:
Victor Cruz
MediaPR
vcruz(at)mediapr.net
(978) 594-4134
Related free Resources
BACKGROUNDERS
WHITE PAPERS
"Because of its easy use, worldwide availability, and best-in-class information security, Brainloop is the optimal solution for our requirements."
Manfred Seiler, Head of IT-Applications, Eurocopter