On the issue of two-factor authentication using mobile devices

Scrolling through the other day articles on Habré, and involuntarily came up with the obsession that too many recent coincidences ... ... I could not get rid of it and sketched a couple of lines.

So what is the coincidence?
')
Reading the discussion on Habré on the subject of an open letter from one well-known bezopasnik to another well-known co-founder of social networks, I caught myself wondering how opposing opinions were from those who commented on security and usability of the network. One was pleased, the advantages were mainly noted by supporters of the need to maintain a decent level of security. I paid special attention to the idea of ​​two-factor authentication using mobile devices ...

At the same time, I came across an article about how we in Symantec eat our own cooking ...

And exactly at the moment, within the framework of this program, we are in the process of introducing one of our recently purchased services into our own corporate network: VeriSign Identity Protection, abbreviated as VIP, which is just the same for two-factor authentication, just using mobile devices.
Putting it all together, I decided to jot down a few words on this very interesting technology, unfortunately so far little known in Russia.

So, what is this beast, VIP?

In a nutshell, VIP is a service that allows two-factor authentication with a one-time password. VIP uses time synchronization between the one-time password generator and the password validation service. At the same time, an important distinctive feature of VIP is the ability to use one profile both within the company and for authentication in external applications. If simplified, the authentication scheme looks something like this:



Returning to the question of open letter, which suggested the use of mobile devices for two-factor authentication ... Someone even suggested that it was extremely difficult to organize. In fact, no, another thing is that these are additional costs, and for whom will they fall?
Returning to the technology: with the help of VIP it can be easily organized (two-factor authentication using mobile phones). As a generator of one-time passwords, you can use both hardware devices (tokens, cards, etc.) and an application on a mobile phone. I think that many of you will agree with me that the last option is much more convenient, because a mobile phone is always with you; there is no need for additional costs for the purchase of equipment, transportation, maintenance, etc.

Another question is who will pay for this opportunity?

For users, this joy is absolutely free. And this is good news.
By the way, if someone wants to see how this application looks like, then go to m.verisign.com , download the application and be a happy owner of one-time passwords.
For those, it will not want to rock, but wants to see:


So, if the one-time password is used for authentication on a public resource, then this resource pays for using the service.
If one-time passwords are used internally, then the company where it is used pays.

Where to use it?

If you use ebay or paypal, then you can there. In principle, there is a website where you can find all public resources that can authenticate with these one-time passwords.
You can also use one-time passwords within companies, the most typical scenario - connecting via VPN.

By the way, if you are the owner of a public resource and want to provide your users with the opportunity to authenticate using one-time passwords, you are welcome to join us. VIP integration is extremely simple.

Why am I all this?

The issue of the security of ordinary passwords is as old as the world, but most companies still do not use multifactor authentication. The reasons are usually: expensive, uncomfortable, difficult, etc.
There are solutions that allow authentication to be made reliable, yet convenient and not very expensive. And if you do not look at the initial cost, but at the total cost of ownership, then I would say “cheap”.

T.ch. the devil is not so terrible as it is painted, and multifactor authentication is not as complex as many people represent it.