The way this could work is that the user initiates a transaction, enters their PIN or access code, then the provider of services needing to authenticate someone sends a randomly generated password via SMS to their phone, which they can enter. This proves that they are the right person -- a miscreant is highly unlikely to know the user name, the password and possess the phone. And if they are using a browser, a user must enter their access code into the same browser from which they requested it. The ideal solution would also provide non-repudiation, encryption over the link where possible, and would generate passwords that were truly random.
This form of strong authentication shows huge promise. Trials by a number of service providers suggest there are few drawbacks, with the small cost of sending an SMS being offset by the security of knowing they are dealing with the right person.
Compared to other forms of two-factor authentication, the advantages are that:
- such a system would need no extra infrastructure, so deployment costs on a per-user basis will be low;
- because the user is familiar with the hardware, there are no additional training or help desk costs to be borne;
- in some cases, it may help compliance with government, industry, or enterprise regulations for data protection;
- it can be deployed in very large numbers to cover mass markets;
- the user need carry no extra devices around, adding convenience and enabling enterprises to differentiate themselves;
- consumer confidence both in the strength of that security and the protection of their investments from access by the unauthorised will be increased, leading to customer satisfaction and retention.
When authentication via SMS becomes widespread, businesses and consumers will benefit. In the financial services area, banks and insurance companies are clear beneficiaries. In business to consumer applications, healthcare -- ensuring that the consumer is matched, critically, with the right medical records -- and bill payment will be transformed. Service providers and enterprises will be able to offer unfettered access to remote users' desktops no matter where they are, secure that the user can prove their identity.
From a business-to-business perspective, such technology can facilitate supply and buy-side e-commerce, with partners and suppliers being able to authenticate and so gain access to secured extranets, increasing trust between the parties conducting transactions.
Right now, access to information is critical for businesses and consumers alike and this trend is set to grow. What's needed is a way of authenticating people on a mass-market scale, and using a widely-adopted, easy-to-use technology such as SMS means that access can be secure, more cost-effective and more convenient.
RSA Security's RSA Mobile, built on its patented, time-synchronous technology and algorithms that deliver proven security to around 13 million end users, provides a platform for consumer-facing organisations to build such a solution. So with RSA Security ready to bring its secure technologies to this market and to fully incorporate industry standards such as Liberty and SAML into future releases, the time is right for this technology.
Both industry and consumers need it, the pre-conditions have been met and the demand is there.