Two-factor authentication for the masses

One thing the “big guys” have always had available to them is “two factor” authentication in the form of products such as SecureID from RSA (there are others but SecureID is the one I’m most familiar with).  Two factor authentication goes beyond the password authentication mechanisms we are all used to and adds a layer of extra security by requiring you to authenticate to a system using something you “have” (in the case of SecureID a SecureID keyfob or a SecureID app on your smartphone) and something you “know” (a PIN number or something similar).  In the case of SecureID the something you “have” is a constantly changing and unique ID number displayed by your FOB or phone app and the unchanging ID that you “know” (your PIN).  These two items are combined to provide a secure, unique and one-time authentication code to your system.  Banks, government ministries and many other organizations have been using these types of systems for years to provide a very strong layer of authentication security for their systems.  It is a well proven technology that, unfortunately, usually carries a price tag that puts it out of the reach of those of us in the SMB world.  And, yes, before I get flamed, I know there are a number of companies that provide a similar mechanism to SecureID at a lesser cost; but the costs are still not inconsequential.

I was working with a new customer last week, a non-profit health care facility, that utilizes British Columbia’s “Physician’s Private Network” or “PPN” to access their hosted EMR application.  PPN is a private network with limited access to the Internet.  One of the BIG rules on PPN is that you cannot have remote access applications installed on your servers or PC’s that reside on PPN that do NOT have two factor authentication.  This worried me as we wanted to have LogMeIn installed on the server in order to provide remote access to the server for whenever we needed to support the customer.  As a small non-profit the customer certainly could not afford SecureID or, for that matter, any of the other vendors that I was aware of.  I spoke with one of the technicians responsible for PPN and he told me about a free (yup, that’s right, free) service that provides two factor authentication services via your phone, the service is recognized as a valid two factor authentication process and they had an agent that would plug into LogMeIn.  I had to check it out!!

I’m pleased to say that PhoneFactor truly works as advertised and it is free!  I created an account at PhoneFactor and linked the number fo my cell phone to the account.  I then downloaded and installed the PhoneFactor agent for LogMeIn on the server, configured the agent so that the login account I use from outside is tied into PhoneFactor and tried it out.  Voila!  LogMeIn asked me for my credentials, it caused the PhoneFactor agent to call home, PhoneFactor called my phone and requested I punch a certain key sequence and PhoneFactor then authorized my log in via LogMeIn.  Very, very slick!

There are a few caveats with the biggest being as far as I can tell there is no way to have PhoneFactor link multiple phone numbers to a given PhoneFactor-enabled login (so if Louis logs in to the customer using the login I enabled with PhoneFactor, my phone will ring looking for the authentication and not his).  This is a bit of a pain but not something that would stop me form using the service, I’d just have to look at creating the appropriate linkages between login accounts and PhoneFactor accounts.

I’m going to be testing PhoneFactor to see if it can be integrated with things like the SBS2001 Remote Web Access (RWA) system and I will blog the results.

If you have been looking for an inexpensive way to add authentication security to your publically accessible systems, you owe it to yourself to check it out.  www.phonefactor.com