PhoneFactor and accessibility
I just read a post at the Blind Access Journal about PayPal’s security tokens (which are basically RSA SecurID tokens). They point out that reading six digits off of a small token display is difficult or impossible for a visually impaired or blind person.
This is another one of those cases where leveraging a long-available technology like telephones can have nice benefits: the accessibility questions for phone use have been worked on for decades now, and PhoneFactor automatically benefits. As long as the user has a way of answering the phone and pressing #, PhoneFactor can be used.
-Steve
Hi Steve,
For good or ill, Paypal’s one-time password (OTP) tokens are not from RSA, and the Paypal OTP tokens are not the same as the rather ubiquitous RSA SecurID. Different vendor, different technology, different heritage. The SecurID, as you doubtless know, is an OTP token which continuously generates or displays a 6-8 digit (or alphanumeric) “token code” every 60 seconds. It is used only within the context of two-factor authentication, which means that a user will have to provide both a memorized password or PIN, and the token’s one-time password, to gain access to protected resources.
I think the Paypal tokens come from VeriSign:
RSA, now the security division of EMC, began shipping an audio version of the SecurID in the 1980s, shortly after the device was first announced. RSA no longer sells these “audible tokens,” although there are probably hundreds if not thousands still in use because they have been repeatedly reconditioned and reloaded with the SecurID app. Today, however, most firms find it cheaper and more convenient provide their blind or sight-impaired employees, contractors, or customers with one of the several RSA Software Tokens: token-emulation applications available for Palm and Windows PDAs, beepers, mobile phones, and Windows XP Desktops. With a simple text-to-audio utility, these devices quickly and easily become audio SecurIDs.
I don’t know about the other OTP token vendors, but RSA makes these token-emulation applications available for free download from it’s website at: . The RSA SecurID Toolbar Token seems quite popular.
I’ve been a consultant to RSA for many years, but RSA tech support should be able to assist you if you encounter any problems with the installation.
As you are probably aware, this token-emulation software option is something that your local IT administration will have to authorize and implement, since it requires some configuration changes in the RSA Authentication Manager (the authentication server,) and the site will have to separately purchase the SecurID “seeds” needed to initialize the “soft tokens.”
Like any wholly software-based security device, of course, the use of these “soft tokens” will also place an additional level of responsibility on the token’s user and the local security administrator. The integrity of the OTP generator — and the trustworthiness of your access control system — both depend upon the user (for PDA, for example) and his employer (for desktop PCs) being able to provide effective physical and virtual security for the devices holding the SecurID “soft token.”
Despite a variety of defenses built into the RSA code, the secrets of any software application are ultimately accessible to a sophisticated attacker who has physical or virtual access to the platform that supports the SecurID “soft token.” Some high-security settings may, by policy, require the use of the sealed (and tamper-resistant, DPA resistant) SecurID hardware token, unless and until exceptions to that policy are scoped and negotiated, but that is a manageable issue for most SecurID installations.
I hope this is helpful.
Cheers,
_Vin
Vin,
Thanks for the perspective. I admit that I didn’t research the PayPal tokens thoroughly before I posted, so it’s interesting to know that they’re Verisign. I was also unaware of RSA’s audible tokens; I’ve only seen the digit-based cards, key-fobs, and the like.
I appreciate the value in software-based solutions, and I’m sure for a lot of customers, they’re just fine, but PhoneFactor is designed for a much broader market. Any time you have to ask the user to install software, no matter how easy, you’re going to see a lot of support load and lots of users that just never get to the finish line.
Moreover, there are lots of closed phone platforms in the world today. Even the iPhone is unsupported by most mobile apps, and phones like my little LG flip phone from Verizon can’t do much that’s not built into the firmware. Again, I don’t know the details of RSA’s specific implementation, but in general, getting third-party software on the phones of average, non-technical users is Hard.
So, I didn’t mean to imply that RSA doesn’t have any sort of accessibility solution; it obviously seems that they do. I was mostly just trying to brag about PhoneFactor!
Thanks for the feedback.
-Steve