Users are demanding a simpler authentication experience. In particular, U.S.-based consumers are intolerant of workstation software and hardware-based authenticators like one-time password (OTP) devices, and these users carry over their preferences to their work life. While demand for device-anywhere access continues to accelerate, enterprises and application providers are caught between a rock and a hard place due to increased security and compliance demands. These incongruous demands can be met by one device: the mobile phone.
Mainstream mobile device authentication methods include short message service (SMS) OTP, device-generated OTP and out-of-band (OOB) authentication. In this tip, let's explore these mobile phone authentication options and review how you can help your customers implement them.
SMS one-time password authentication
SMS-based OTP leverages text messaging (more specifically, short message service) to deliver a one-time password upon request. To receive the OTP, the user goes to the application website and requests the OTP. Provided that the user's mobile phone has sufficient connectivity to the mobile network, the user will receive the SMS with the one-time password. The user then types the OTP into the authentication form on the application website and gains access. As with similar systems, the OTP can be used only once, which provides much better security as compared to traditional passwords.
Relative to the other mobile device authentication methods discussed here, SMS-based one-time passwords are the least secure, primarily because of the relative insecurity of the SMS protocol. While somewhat convenient for the casual retail consumer, the SMS OTP method can cause "usability fatigue" for enterprise users who authenticate frequently during the day and therefore must wait for the SMS delivery of the OTP each time.
Device generated one-time passwords
Like SMS-based OTPs, device-generated OTPs rely upon a unique password for each initial user authentication. The OTP is generated via software on the mobile phone. The software leverages a symmetric key and (typically) the phone's clock to generate the one-time password. Relative to SMS-based OTPs, device-generated OTPs are generally more secure because the one-time password is generated on the device. The enhanced security comes with a cost; device-generated OTP authentication requires software distribution, a secure process to bind the OTP to a real user, and many different software packages to support the mobile phones on the market. Device-generated OTPs are more convenient than SMS-based OTPs, because the user does not need to wait for the delivery of the SMS message.
Out-of-band (OOB) authentication
The newest mobile device authentication method is out-of-band authentication. After initially contactng the application website, the user is contacted at a known phone number. The phone number can be associated with a land line or mobile phone. Once contacted, the user presses a few keys on the phone and is subsequently authenticated to the application website. Behind the scenes, the application contacts the OOB authentication service provider via a Web services request and receives a response when the user has successfully authenticated.
Of the three authentication options described here, OOB authentication generally provides the greatest security because it leverages a more secure medium for authentication -- the phone network. As with SMS-based OTPs, enterprise users may experience usability fatigue if they authenticate frequently during the day. OOB authentication also provides the greatest platform support; users can be authenticated via their home or mobile phones.
Interested in how you can help organizations wishing to implement mobile authentication? This table summarizes the ways you can help.
See larger image
Mobile device authentication combines the best of both worlds: usability and security. Over time, the authentication methods discussed here may eclipse traditional passwords, particularly for those applications which grant access to confidential data or material monetary transactions.
About the author:
Mark Diodati is a senior analyst for Burton Group Identity and Privacy Strategies. He covers identity management, authentication, provisioning, cryptography, directories, Web access management and operating system security.
This was first published in January 2010