Security

Is PhoneFactor really better security?

Chad Perrin explores the security solution, PhoneFactor, which favors a two-factor authentication process for accessing your online banking account. Is the extra inconvenience worth it for the security offered? How secure is a third-party solution from your bank?

I received an e-mail today trying to enlist me in a marketing campaign for PhoneFactor. Of course, it was presented as a way to help myself, to encourage my bank to provide me with better security, but the ultimate goal was to get me to tell my bank that I want it to use the PhoneFactor service to ensure my account's security. The subject of the e-mail says, "Join Our Nation Campaign for Better Online Banking Security," but I have to wonder -- is the security it provides really any "better?"

The e-mail

The text of the e-mail is as follows:

  Tell Your Bank "I Want My PhoneFactor!"

A recent FTC survey found that 8.3 million Americans were the victim

of identity theft last year. To help consumers combat fraud,

PhoneFactor launched a national campaign for online bank security.

Identity Theft And Fraud Are On The Rise:

* The number of password phishing sites increased 559% in 2007.

* 80% of phishing sites were in the banking and financial services

sector.

* You are more likely to have your password phished and have your

identity stolen than be burglarized.

With PhoneFactor, when you login to your bank account, you

automatically get a call. You simply answer the call and enter a PIN

to complete the login. Even if a hacker has phished your password,

they cannot get access to your account.

Join Our Fax Campaign at www.iwantmyphonefactor.com

www.phonefactor.com

The benefits

This essentially turns all online banking authentication into a two-factor login. Multifactor authentication uses one or more "factors," which include:

  • Something You Know: a password
  • Something You Are: biometric identification
  • Something You Have: a smart card

In this case, the two factors in use would be your login credentials at the Web site (username and password: something you know) and your cellphone (something you have).

The problems

Of course, the standard of convenience drops significantly. With PhoneFactor, not only do you have to log in to your account, but you have to do so with your cellphone handy, its battery has to be charged, and you have to wait for the verification call -- whereupon you have to provide "something you know" (your PIN) again.

As I pointed out in the article, Making encryption popular, convenience is of key importance to improving uptake of good security practice, and PhoneFactor unfortunately just makes security much less convenient.

In addition to the problem of convenience, there's the problem of introducing another party into your transaction. What are the security procedures like on the back end of PhoneFactor? Any time PhoneFactor must be used to verify a login, the service provider is alerted to the fact that a given bank customer is accessing his or her account -- and the company is staffed by actual human beings, all of whom are imperfect, and none (or at least very few) of whom care about you personally, your privacy, or the integrity of your bank account. Will mistakes made by people at PhoneFactor lead to new attack vectors on your banking security that were unforeseen? Will employees of the company be able to use their position as the middleman to take advantage of you?

Is it worth it?

Convenience must be balanced against security, sometimes. In the long run, I hope that a more convenient, more verifiably secure system is developed that provides the same kind of two-factor authentication.

The convenience hit is actually very small for the common case, and the security benefit could be quite substantial. There will be edge-cases, however, where convenience might take a nosedive -- such as being on a business trip and needing to access your bank account online, but realizing you left your cellphone charger at home. This could be especially problematic if the reason you need to access your bank accounts is to move funds from savings to checking so you can buy a charger for your cellphone.

The security concerns would probably never come back to bite you -- but the fact that's only a "probably" is really the problem. Once you start playing a statistics game to decide whether your overall security has gotten better or worse with a given security solution, you may need to rethink your solution.

The concept, itself, is a good one (at least for security purposes, if not for purposes of convenience). If PhoneFactor were open source software that could be deployed by the same company with whose Web site I wanted to authenticate (in other words, if it were open source software used by the bank, rather than a third-party service to which the bank has to subscribe), I'd be all for it. If it were closed-source software implemented by the bank (rather than bought from a third-party vendor), I'd support that as well, as an improvement to security.

It's the third-party involvement with a cookie-cutter solution being offered as a package deal, and the problem compounded by the service being managed by that third party, that raises my concerns.

As for you -- I guess you'll have to decide for yourself.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

14 comments
tamouh2
tamouh2

I probably had disagreed with your whole post until the last few lines. Indeed, for large enterprises, adding a 3rd party in the middle of your authentication process goes against the security principle itself. However, two things to respond to: - PhoneFactor is the 2nd part of authentication. You still need to know the user/pass, and Phonefactor employees I think would not have access to such info inside LDAP. - PhoneFactor as I'm aware can allow you to setup backup phone numbers. I can see your point about dead charger, but not too convincing. - I can't see PhoneFactor idea very difficult to implement, but by now they probably have it patented preventing open-source development. The banks should have thought of this long ago.

bwilliams
bwilliams

Anakam's platform is for more flexible in the authentication routes selected. Not only does it allow SMS, but also IVR, voice-bio, and secure token...all on a single platform.

ggrajek
ggrajek

Chad: > Convenience must be balanced against > security, sometimes. In the long run, > I hope that a more convenient, more > verifiably secure system is developed > that provides the same kind of two-factor > authentication. We couldn't have stated it better. You article accurately states the phone mechanism is a reasonably secure way of authentication - but the convenience - for a repeat user - is well, unpleasant. That is why MultiFactor created SecureAuth - a authentication solution that: 1) Uses Telephony for a first-time registration (Or SMS Text messaging or e-mail - based on enterprise configuration) 2) Deploys, in a unique and user-simplistic manner a secure, non-phishable credential Step #2 is important - because on subsequent authentication's SecureAuth is able to algorithmically prove that there is no man-in-the-middle attack because of the bilateral authentication that is being enacted between the client and the (legitimate) server. MultiFactor has this solution deployed to: - WebSites (Financial) - Networks (Cisco VPNs) - Federation Applications (SAML based, like Google Apps) All the best. ---- Garret Grajek, CISSP COO MultiFactor Corporation http://www.multifa.com/products.htm

jgreene
jgreene

Actually the solution is extremely secure. We currently utilize it and are moving away from RSA. In addition, you receive the phone call within seconds of submiting the userid and password. Not to mention phonefactor the company doesn't know your userid's or passwords. All they know is request to dial phone number, phone number was answer and correct pin was given, and thumbs up (good pin) goes back to your internal PhoneFactor server.

apotheon
apotheon

Will you help the people at PhoneFactor try to convince your bank to use their service? What security concerns do you have? Are there any considerations in favor of PhoneFactor that I missed?

apotheon
apotheon

What about independent verification of security policies behind the system?

apotheon
apotheon

. . . but it doesn't address the concerns I actually brought up in the article.

techrepublic@
techrepublic@

Using an open communication medium to transmit access tokens is such a bad idea!!

msimmons
msimmons

I'd be surprised if the PIN that you input was statically chosen. If I were engineering this system, I'd make it so that you got an SMS/voice-synth-call with a 6-8 digit PIN that's created on the fly and distributed to both your phone and the bank. Sort of like a poor-man's RSA key. Cellphones aren't the most secure mode of communication, but this scheme seems more secure than, say, showing me a picture of a boat and asking for my mother's maiden name.

ggrajek
ggrajek

Deployments of MultiFactor SecureAuth have passed through the NCUA (National Credit Unio Association audit proccess. What important to note here, is that MultiFactor's SecureAuth web services: 1) Do not send/store confidential information 2) The Webservice is just acts a processing service 3) All WebServices are WSE 3.0 (X.509 authenticated) - thus insuring only secure/trusted deployments enact the call. ---- Garret Grajek, CISSP MultiFactor Corporation Chief Operating Officer www.multifa.com

YZFDude1
YZFDude1

He actually did answer your questions. I think you just don't like the answer. The only arguments you make against Phone Factor are; 1. You have to wait for a call to verify your pin. 2. You might actually be inconvenienced by having to have a working phone (cell) near you. 3. The software isn't open source. The fact that your bank would give you an option to have multi-factor authentication IMHO is a good thing. Your complaint is that you have to wait for a call. Seriously? Any business person who travels and doesn't have more than one charger is more of an anomaly than the norm. The Phone Factor software runs on the banks hardware, at the banks location. When you request to login the Phone Factor software does a simple ldap lookup to verify your first factor, then issues a call to authenticate your second factor. The only thing that leaves the bank's systems is a request to the Phone Factor's company server to initiate a call and request authentication of your pin. Then a simple reply is sent back to the bank with a True/False. If your bank had to initiate the phone calls then you run into the nightmare of having to figure out what your phone budget will be. You would have to buy a bunch of modems, and telco access to those modems. Then lets talk about the cost of long distance. You have to plan for scalability, and outages, so you will need an offsite location in hopefully a facility where natural disasters occur infrequently. Or you can pay Phone Factor to have done that already. So your complaint boils down to I hate that my bank uses a third party software even though it is located at their facility. The complaint that it isn't open source is more of a religious preference and I won't even go there. My organization has both Phone Factor as well as the traditional OTP tokens. My number one complaint of the tokens, is that users fat finger the password and have to wait 60 seconds to try to login again. When I offer them to use the Phone Factor and I demonstrate it then they all jump on it. Most of my upper management and sales people live on their cell phones. So not having one around (and charged) is a complete non issue.

Michael Kassner
Michael Kassner

I've read about both processes being a viable alternative. There is also talk of having a client application on the cell phone that would do the same thing as a SecurID dongle. Something that is also very interesting is that Versign and PayPal are working on a deal where Verisign or PayPal's SecurID dongle will work as second factor authentication for multiple companies, something similar to OpenID. Chad, I have to mention this in jest as I get corrected about this all of the time. It's picky but security guys are picky. They say it must read Something "only" you, with the emphasis on only.

apotheon
apotheon

"[i]I'd be surprised if the PIN that you input was statically chosen.[/i]" I wouldn't. "[i]If I were engineering this system, I'd make it so that you got an SMS/voice-synth-call with a 6-8 digit PIN that's created on the fly and distributed to both your phone and the bank. Sort of like a poor-man's RSA key.[/i]" That's known as a One Time Password (OTP) in the general case. "[i]Cellphones aren't the most secure mode of communication, but this scheme seems more secure than, say, showing me a picture of a boat and asking for my mother's maiden name.[/i]" There's some truth in that.

apotheon
apotheon

It has to be something "only you" have/know/are, et cetera, to be secure. It doesn't have to be "only" to be an authentication factor, in general, though. I'm just splitting hairs. You're right, of course -- each factor should be limited to [b]only[/b] you, in practice.