Looking for cost-effective user authentication? Go Mobile!

Authentication is generally required to access secure data or enter a secure area. The requestor for access or entry is usually required to authenticate him or herself based or prove her or his identity by means of:

• What the requestor individually knows as a secret, such as a password or a Personal Identification Number (PIN), or

• What the requesting owner uniquely has, such as a passport, physical token, or an ID-card, or

• What the requesting bearer individually is, such as biometric data, like a fingerprint or the face geometry.

Two-factor authentication, which requires a remote user to present both something they know and something they have such as a token, smart card or biometric image, is one of the most common methods used by organizations for identity assurance.

The true cost of a two-factor authentication solution is made up of several elements. First, there are the "product" acquisition cost elements. All two-factor authentication solutions are comprised of two main product components:

• An end user device. The end user device provides the "something you have" factor that is uniquely bound to the individual.

• An authentication server. The authentication server receives the information from the end user and determines whether the individual has presented the correct information. It also directs the system to either allow or deny access and provides the administrative interface.

Organizations also need to consider annual maintenance fees which usually include customer telephone support and ongoing software updates.

Implementation costs should be carefully examined and can vary widely depending on the operating environment. For example, organizations need to consider if there are additional third party products or any professional service integration required to complete the solution.

Finally, ongoing management costs need to be considered in determining the total cost of ownership. This would include administrator costs, deployment, and anticipated user service expenses.

Scaling Authentication for Very Large User Groups

Hardware and software solutions can be scalable enough for internal corporate use, but when the organization wants, or more often, is legally required to provide strong authentication for other parties such as partners, suppliers, or end customers, the deployment and management of hardware devices or software packages becomes a real challenge.

Moreover, as organizations face growing pressures to optimize their operations logistically and financially, many are considering alternatives to physical tokens to reduce the cost of two-factor authentication. But what kinds of options are there?

Practically everyone today owns a mobile phone, at least those of us old enough to possess our own bank account and insurance - say anyone from fourth graders to grannies. For convenience and simplicity, why not provide strong authentication to online services based on the mobile phone - most of us carry the mobile anyway, right? Consider at face value the benefits provided by offering authentication using a device that users already own:

• Increased security for accessing critical systems with minimal effort from end users

• Reduced operational and maintenance costs with a tokenless solution

• Rapid activation of new users, partners, and ad-hoc accounts - in minutes instead of days or weeks

Typically, mobile authentication can take place in two ways, via an on-device application or SMS (text messaging). The former option is active and requires the end user to download an application, a procedure that may not be supported by all mobile phones. The latter method is passive, allowing any user to be activated without providing any customer information.

Apart from sidestepping the nightmare of token life-cycle management and its related costs, transitioning strong authentication to mobile phones offers added value. Not only would it become the single master key to important services, it can provide add-on services such as credit card limit warnings and confirmation of unusually large transactions.

While mobile authentication is easily scalable to accommodate large numbers of users, organizations would need to consider that when they move from environments with just a few hundred users to those with several thousand they need to take into account the reliability of the SMS service. This in turn raises certain questions:

• Should I establish direct operator connectivity?
• What kind of service level can my operator provide in terms of SMS latency, throughput, and accountability?
• What is the global coverage my operator can offer? Do I need several operator connections?

That being said, mobile authentication remains the fastest method to distribute to remote users. Imagine yourself on a business trip in South Africa and you lose the security token for accessing your corporate e-mail. Do you call your administrator and ask to have a new one couriered to you? You'd probably be back home by time the token arrived. This would not be the case if you were using a mobile authentication method.

Even if you do lose your mobile, you can purchase a replacement along with a prepaid SIM card. Then your administrator can immediately link your new prepaid number to your identity in the e-mail system. Login to your e-mail and authenticate using the OTP (One Time password) that you receive via SMS. Your mobile authentication service remains essentially uninterrupted! And your organization no longer needs to worry about the cost of replacing physical tokens - not for you or scores of other employees.