Security

Out-of-band authentication with Authentify offers compelling service

Rick Vanover reviews the Authentify authentification service, which offers an automated solution with an extra authentication factor and a strong audit trail.

Application Service Provider (ASP) company Authentify presents a unique extra factor of critical authentication applications. For most authentication situations, simply a username and a password are involved. Authentify provides a service that adds a step to the transaction -- a telephone call is made to the (expected) person attempting to authenticate. This service is principally targeted to the financial, healthcare, and certain e-commerce situations. However, Authentify can be used also for password reset, token issuance, and as an additional factor for other authentication applications.

Automated solution with audit trail

The telephone call that is made is made from Authentify's equipment. The telephone number is sent from your internal Web servers to Authentify to complete the transation, and when using the telephone call there is a strong audit trail for the transaction. Also available with the service are biometric comparisons for speech matching during the authentication call to validate the authentication request. The request from the Web transaction can be compared to an approval (password, phrase, or codeword) from the telephone number on file. The Authentify service also can capture an electronic signature that meets the e-sign requirements. Being able to match that with an audio recording is a strong confirmation of the identity being verified.

Transfer through network security layers

The Authentify services receive the authentication request through an XML Web service. The basic operation for all of their services resembles the following flowchart:

Basic flow of the process

This security model works well with most network environments and no additional equipment is required for the outbound dialing services. An overview architecture of the service is available from the Authentify website as well as information about all of their services and usage scenarios.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

15 comments
LauraDeitch
LauraDeitch

I heard about TeleSign???s two-factor authentication product that has already processed more than 1 billion transactions while maintaining enterprise-level uptime, fully redundant on all hardware, network, and telecommunications layers and their voice prompts are already available in over 50 languages and can be further customized. Watch their product demo at http://www.telesign.com/products-demos/two-factor-authentication/

martinconr
martinconr

Validsoft (www.validsoft.com) offer a very good OOB solution with transaction verification - this enables the user to reject the transaction if incorrect.

Witter22
Witter22

Authentify absolutely includes transaction verification so that the users can reject transactions in order to avoid man-in-the-middle attacks. Voice Biometrics can also be layered in as an additional factor of authentiction.

andre.j.hawkins
andre.j.hawkins

Boss saw a demo at RSA of strong authentication with phones for remote desktop. He told me to compare Authetnify, phoneFactor, see what RSA has that uses phones, and also Thawte. I?ve done some quick digging and it?s not obvious what the differences are, other than that phonefactor doesn?t seem to do text messaging. Ideally, I?d just have a plug-in for my Terminal Server. Some of what I was reading makes it look like there is actual integration development necessary. Thanks in advance for the help!

kumar.jeff
kumar.jeff

We used an OWA agent to setup PhoneFactor, which was quick and easy--half hour setup. It scaled nicely and conveniently to our 500 users. If users are out of cell range they can call and set up a different number for Authentication.

brian.samuela
brian.samuela

With PhoneFactor the phone becomes the actual second factor. After entering username and password, Phonefactor places an outbound call to phone handset. User presses # and PhoneFactor system reports back for the second factor.

andre.j.hawkins
andre.j.hawkins

Sounds like we've got some religious war raging here. Good thing about PhoneFactor is it's free to try. We tried it for terminal services (www.phonefactor.com/terminalservices) and it has worked out pretty well.

bwilliams
bwilliams

Anakam can work with cell, home, office, and also includes voice biometrics...dead battery on cell phone or poor coverage does not matter.

bwilliams
bwilliams

Anakam's two-factor authentication platform offer multiple channels of out of band distribution and does so to meet federal security standards and guidelines (HIPAA, Privacy Act, FFIEC, FISMA, NIST, FIPS, PCI...). Cost reduction is signification because no hardware, software, or certificates to deploy...

brian.samuela
brian.samuela

Just saw the discussion about dead battery near the top of this discussion. I think I remember hearing that with phonefactor and other phone based 2-factor solutions you can pretty easily move your authentication scheme to a nearby landline phone (don't know exactly how that works--gotta look into it).

andre.j.hawkins
andre.j.hawkins

Does Anakam require tokens? Phonefactor manages to avoid distribution and management of tokens because the 2nd factor is the phone. Also, what's your sense of pricing on that?

bwilliams
bwilliams

Anakam (www.anakam.com) offers an innovative, non-ASP based solution that is implementable on a massive scale that provides a single platform for the integration of true two-factor authentication across numerous channels including Voice Bio, IVR, SMS, etc and can also include alternative strong authentication solutions including risk-based authentication.

catseverywhere
catseverywhere

...open the pod bay doors, HAL... I can see where a few operations could benefit from this very secure methodology. But I can also see problems, beginning with something as simple as a dead battery on your cell phone, out of service range, etc... I would assume if you need this type of security, you'd also have the need to access whatever service whenever/wherever you want. Technically just about any failure of this service you could imagine would be the user's fault, not the Authentify people. But I predict not a few ticked off big shots down this road.

b4real
b4real

Could be... But, but for big money or stuff it is truly interesting. Further, it could be a non-required step, to do an audio recording for parts of a transaction.