Comparing PhoneFactor to SMS Authentication

Evaluating two-factor authentication solutions requires a look at three critical areas – the security and scalability of the technology, hurdles to user adoption, and the total cost (including internal costs) to deploy and support the system. Below is an analysis of sms-based authentication systems and PhoneFactor’s phone-based authentication solution.

SMS Authentication

With SMS authentication, a One Time Password (OTP) is sent to the user via a text message to their cell phone. It is a true form of two-factor, but does require that the One Time Password (OTP) be keyed into the login interface (adding an additional screen to the login process and requiring more user training). SMS messaging is considered a class two service, so voice calls get a higher priority on the network. This can result in delays. So, a user can be forced to wait for their One Time Password (OTP) to arrive before they can complete their login. Also, not a huge consideration, but the text message remains on the phone which is generally considered negative from a security perspective.

One of the biggest disadvantages of SMS authentication solutions is that they do not protect against emerging threats, such as man-in-the-middle attacks. As the sophistication of attacks continues to increase, Out-of-Band authentication, which utilizes a separate channel for the second factor of authentication, is becoming widely recognized as a best practice for two-factor authentication. Any authentication method that requires a OTP be keyed into the original login interface does not meet the criteria for out-of-band authentication and as such is vulnerable to attack.

SMS authentication leverages a user’s existing cell phone and there are some 3.5 billion cell phones in the world today, which is a big advantage over tokens and other security devices. But it does require text messaging capabilities, which not all cell phone users have, and sms authentication is not compatible with landline phones at user’s homes and offices.

Technology
  • Two-factor across a single channel
  • SMS messaging is a priority 2 service, which can result in significant message deliver delays
  • Leaves a footprint on the phone
User Adoption
  • Requires a cell phone with texting capabilities
  • Requires users to key in the One Time Password (OTP) into the login interface
Cost
  • Significant implementation costs, then relatively low fee per text message
  • User training is required

PhoneFactor

PhoneFactor also leverages the phone for two-factor authentication, but with some important differences from SMS authentication. With PhoneFactor, users simply login with their username and password – just like they do today. Instantly the user’s phone rings. They answer and press # (or enter a PIN) to complete their login. As such, it works with any phone, anywhere in the world. As a class one service, there are no delays. The authentication call is placed immediately.

By combining out-of-band authentication with real-time fraud alerts, PhoneFactor offers the strongest level of security on the market today. The PhoneFactor platform relies exclusively on the telephone network for the second factor of authentication which ensures protection against keystroke loggers and man-in-the-middle attacks. PhoneFactor can be used to verify specific high-risk transactions, so even if the user’s authenticated session has been hijacked, their transactions are protected. Not only does PhoneFactor prevent unauthorized logins and transactions, it notifies you instantly if a user’s credentials have been compromised and an attack is in progress. Security tokens are simply not capable of alerting you to an attack.

PhoneFactor requires very little effort to implement and virtually no ongoing support. PhoneFactor offers instant integration with all leading business systems and synchronizes with AD and LDAP Servers for centralized user management. Easy, automated self-service options are available through the phone and web, which helps to significantly minimize overhead. It is easy to use, requiring no end user training.

Technology
  • Out-of-band authentication with live fraud alerts
  • Instant integration with leading enterprise systems
  • Web plug-ins integrate with existing websites and online transaction processes
  • User enrollment and self-service tools keep overhead low
User Adoption
  • Extremely easy – users simply answer their phone and press #
  • Works with any phone, anywhere
  • No changes to the user login experience
  • No software downloads or text messages to cell phones
Cost
  • Low annual fee per user or per auth
  • No hardware to purchase or install

 

PhoneFactor’s phone-based authentication service offers a greater level of security and a better user experience than SMS authentication. For more information try the PhoneFactor Demo or Download the Free Version.

 

   Legal  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to tokens, security fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication including: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | OWA Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards(PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates