PhoneFactor Unveils Out-Of-Band SMS Authentication
PhoneFactor has expanded its two-factor authentication platform to include support for out-of-band authentication via SMS text messaging. Here’s how it works:
Step 1
Enter your username and password just like you do today.
Step 2
Instantly, PhoneFactor sends you a text message with a one-time passcode. To authenticate, simply text the passcode back to PhoneFactor.
That’s it! Because the one-time passcode is both sent and confirmed through SMS, the process is completely out-of-band.
Now users can choose the two-factor method they prefer, phone call or SMS text message, all with the same level of out-of-band security and convenience. This enables the ultimate flexibility for your users and a single platform for your IT team to manage.
Learn more about sms authentication. Or try it yourself in our Online Demo.
- Sarah
Next Page »
See PhoneFactor’s New Products at RSA Booth 1757
PhoneFactor will be showcasing two new products at the 2010 RSA Conference! Stop by PhoneFactor Booth #1757 to learn more about these exciting additions to our out-of-band authentication platform.
- We recently launched Biometric Voice Authentication, making three-factor authentication both easy and cost-effective. PhoneFactor’s Biometric Voice Authentication delivers the strongest level of authentication without the overhead typically associated with biometrics. The user’s voiceprint is simply confirmed during the PhoneFactor authentication call.
- We will also be unveiling another exciting addition to the PhoneFactor platform during show.
And don’t miss PhoneFactor CTO Steve Dispensa’s panel discussion on responsible disclosure.
Responsible Disclosure: It’s Their Fault!
Wednesday, March 3rd, 10:40 AM, Orange Room 305
Next Page »
PhoneFactor CTO Steve Dispensa to Speak at RSA 2010
Steve Dispensa, CTO and Co-Founder of PhoneFactor, will be participating in a panel discussion on responsible disclosure at RSA 2010. Steve will be joined by representatives from Adobe, PayPal, Continental Airlines, and The Metasploit Project and moderator Martin McKeay for a discussion on the role researchers, vendors, and customers play in the responsible disclosure debate.
Don’t miss – Responsible Disclosure: It’s Their Fault!
Wednesday, March 3rd, 10:40 AM, Orange Room 305
Catch a sneak peak of the discussion with Martin McKeay and Steve Dispensa.
Listen Online | Download Podcast <8:51>
And be sure to stop by the PhoneFactor booth Booth #1757.
- Sarah
Next Page »
Steve Dispensa and Marsh Ray to Present ShmooCon 2010 Keynote
PhoneFactor CTO Steve Dispensa and Sr. Software Engineer Marsh Ray are headed to DC this week where they will be presenting the keynote address at the ShmooCon conference. The keynote Closing the TLS Authentication Gap will detail the technical aspects of the SSL/TLS authentication vulnerability they made public last fall and the story behind the disclosure process. More information about the keynote is available at: http://www.shmoocon.org/presentations-all.html#tls.
- Sarah
Next Page »
Three-Factor Authentication in Two Easy Steps
PhoneFactor now offers integrated biometric voice authentication, which simultaneously verifies something you have, your telephone, and something you are, your voiceprint, for the second and third factors of authentication. Here’s how it works:
Step 1
Enter your username and password just like you do today.
Step 2
Instantly, PhoneFactor calls you. Simply answer and speak your passphase to authenticate.
That’s it! The process is simple, secure, and cost-effective.
With IT security threats at an all-time high, utilizing three separate factors to authenticate user access is a necessity for many organizations. However, most biometric solutions require a biometric reader, such as a fingerprint scanner, be installed on each end user’s system. The cost and IT resources required to purchase and deploy biometric readers created an often insurmountable challenge.
With PhoneFactor, no biometric readers are required – it works with any phone. And with automated voiceprint enrollment and centralized user management, it can be set up quickly for large numbers of geographically diverse users.
Learn more about biometric voiceprint authentication.
- Sarah
Next Page »
VirtualBank Adds Out-of-Band Two-Factor Authentication
VirtualBank recently announced that they will be deploying PhoneFactor’s phone-based two-factor authentication to enhance security for their online banking customers. VirtualBank is the Internet Banking Subsidiary of Lydian Trust Company and serves a growing base of banking and lending clients nation-wide.
“Security comes first for us at VirtualBank and we are constantly working to make it better,” comments Frank Barbato, Virtual Bank Chief Information Officer. “We feel equally as strong about our client’s on-line experience and the impact that all the security protections have on them. After all, our clients just want to access their accounts and get on with their lives rather than answering questions about their pet’s name. PhoneFactor’s flexibility in their platform enables us to both meet today’s security needs while offering a superior user experience.”
VirtualBank has branded the process they have built around the PhoneFactor service “PhoneGuardian,” and will make it available to all of its customers free of charge.
~Sarah
Next Page »
PhoneFactor Publishes New Whitepaper on IT Security Trends
PhoneFactor recently published the results of its survey on IT security trends in a new whitepaper IT Security & Authentication: Key Concerns for 2010. Results of the PhoneFactor survey of more than 250 IT professionals indicate a greater level of insecurity today than in the previous years, both from increasing external threats and decreasing confidence in current security practices.
 |
Key findings include…
|
The complete survey results are available in a new whitepaper IT Security & Authentication: Key Concerns for 2010. Download the whitepaper at http://www.phonefactor.com/how-it-works/white-paper/security-authentication-key-concerns-2010.
-Sarah
Next Page »
Implications of the Twitter attack using the SSL gap
When we released the SSL authentication gap details a couple of weeks ago, I was convinced that this was a serious issue that needed immediate attention. Although most everyone agreed, there were a few commentators out there that weren’t as concerned about the problem as I was.
Well, fast-forward a few days, and the situation has changed. A clever researcher by the name of Anil Kurmus has demonstrated a working exploit against Twitter using the request-splicing technique we outlined in the “Renegotiating TLS” paper. He leveraged the flaw into a revealed-plaintext attack against Twitter, with the effect that a bad guy could steal any user’s username and password.
It’s difficult to say just how a flaw like this in an underlying security protocol will affect the upper-layer protocols, like HTTP, that depend on it. Certainly, as Bruce Schneier often observes, attacks only get better. So while we’re not about to go out and see what all we can exploit with this flaw, I’m certain that there are cleverer hackers out there that will have no trouble in leveraging this flaw into a serious problem for a wide variety of sites.
It’s interesting to consider why the opinions of some researchers have been shifting as to the severity of this issue. In my opinion, it is primarily the result of the subtlety of this flaw. There have been numerous arguments about whether or not TLS was even broken at all, or if on the other hand, the fault lay in the higher-level protocols such as HTTP. This argument has been batted around extensively in public by some of the world’s brightest security protocol engineers.
It didn’t help matters that we described the flaw primarily in the context of client certificate-based authentication. That was the first case Marsh found and got working, but we were eventually able to broaden the attack to the potentially much more dangerous client-initiated attack that was used in the Twitter exploit. It probably should have been moved to the top of the paper we released, but in our defense, we had planned a major revision next month or so; we were as taken by surprise at the unexpected release of the flaw as everyone else was.
The reality is that it’s going to take a while for the full implications of this flaw to be worked out. It’s never pretty when a security protocol is found to be deficient, and as Chris Paget pointed out, there are a great many other protocols that use TLS, some of which may also be impacted by this find. I think we’ll be finding problems related to this flaw for months or years to come.
-Steve
Next Page »
PhoneFactor Team Discovers Vulnerability in SSL Authentication
Earlier this week, PhoneFactor released the details of a serious vulnerability in SSL/TLS authentication, which was discovered by PhoneFactor team members Marsh Ray and Steve Dispensa in August 2009. The SSL authentication gap allows for a standard man-in-the-middle attack in which an attacker is able to inject malicious data and commands into the authenticated SSL communications path.
For the past few months, PhoneFactor been working closely with a group of affected vendors and the relevant standards committees on mitigation strategies. News of the vulnerability broke when a member of an IETF working group independently discovered the issue and posted it to an IETF mailing list on November 4th. Word quickly spread through the IT security community.
PhoneFactor set up a resource center at http://www.phonefactor.com/sslgap/ with the latest news and information about the ssl/tls vulnerability and available patches.
Next Page »
Don’t Forget About Phishing
While there are many sophisticated attacks threatening banking and financial services today, there are some timeless standard ones as well. Just last week, a co-worker was targeted by an old fashioned phishing attack. Here’s what happened:
She receives a text message:
From: No Caller ID
Date: 10/8/09 3:04pm
This is an automated message from Central Bank of Kansas City. Your ATM card has been suspended. To reactivate call urgent at 18662652744.
She was suspicious, so she Google’d the bank. She clicked on the link to their website.
Looks reasonably legit even if the url is a little weird.
So, she dials the 800 number in the text message. Here’s the phone call:
Luckily, she was savvy enough not to enter her real credit card number, but you can bet some people did.
According to an recent article on ComputerWorld.com, “After a small dip last year, phishing activity has picked up again and is rapidly climbing back to record levels in terms of unique phishing sites and targets.” While the attack described above was after credit card numbers, there have been a number of high profile phishing attacks this year targeting user names and passwords for social media sites like Facebook and Twitter not to mention the ongoing barrage of attacks against online banking.
It’s a good reminder to keep an eye on the emerging threat landscape, but to not forget the old standards.
~Sarah~
Next Page »
