printer friendly version

Forgettable passwords

A South African company has developed a secure way to ensure users never need to remember their passwords again, all they need do is remember to take their cellphones with them.

South African software development company FireID has developed what is believed to be a world first – a highly secure system that provides a one-time-password (OTP) authentication solution by generating secure passwords and sending them to users’ mobile phones.

“This means people no longer have to remember complicated passwords or change them often as a new password is generated every time a login is required, and it expires immediately after use,” says FireID founder and strategic director Justin Stanford. “Most convenient of all, it runs on an existing hardware platform that people carry with them – the ubiquitous mobile phone.”

FireID founder and strategic director Justin Stanford

This universal personal authenticator has a multitude of possible applications and enables secure and easy authentication for people logging onto systems such as Internet banking sites, virtual private networks (VPNs) and others that are password-protected. FireID enables users to access multiple applications requiring OTPs from the same menu.

It does not rely on cellular network connectivity other than for initial deployment of the end-user token application. Importantly, it does not make use of text messages, or other forms of communication, to deliver OTPs to users. OTPs are generated on the user’s mobile phone independently and securely.

FireID significantly reduces overheads through its ability to deploy to thousands of users. Conventional authentication solutions use a key fob or hardware token to generate OTPs. The cost and maintenance of these tokens, plus distribution and management, are a logistical nightmare for most organisations. “FireID, by contrast, has been developed to significantly reduce overheads by offering a fixed annual cost and facilitating deployment to the user through a simple, tutorial-based process,” says Stanford.

How it works

FireID employs a back-end server and an end-user 'token' application running on the user’s mobile phone. The server authenticates the user logging on with a random one-time password generated by the token application on the user’s phone. This process takes place each time authentication to a FireID protected resource such as a Microsoft Windows PC logon, VPN or Web portal logon is required.

The token application is installed once on all end-users’ mobile phones and generates random one-time-passwords to allow users to authenticate to a FireID protected resource. The application supports almost all mobile devices using Java, and natively supports Microsoft Windows mobile devices.

The deployment system is able to automatically deliver custom versions of the token application to support a vast variety of different mobile phones. In addition, the token application can store many different tokens for authenticating to different resources, or even entirely different companies.

Each token operates independently and securely. The user simply chooses the token they want to use (such as 'My bank', 'The office', or 'Remote access') from within the FireID application, and an appropriate OTP will be generated. New tokens can be remotely and seamlessly added to a user’s FireID token application using background SMSs.

The token application can also be managed using background SMSs, performing administration tasks, such as resyncing tokens, in a completely secure manner.

How it is deployed

The FireID deployment process is designed to be as simple and automated as possible. Users must perform a once-off installation of the FireID token application on their mobile phone and migrate their account from normal static passwords to OTPs, generated by the FireID system.

Users can be deployed individually or in groups, making the process easy to manage. Only once a user has successfully installed the token application, and activated it, will their account switch over to FireID for authentication.

During deployment, each user will receive an automatically generated e-mail from the FireID server, and an online self-deployment tutorial will begin. This will verify the user’s identity and mobile phone number. From there, a simple walk-through process is followed, which takes users through the various steps.

The deployment process delivers the appropriate version of the FireID token application for the specific mobile device, its capabilities and specifications. Should the installation of the application fail, the FireID administrator is able to view the reason in the deployment logs.

The token application can optionally prompt for an activation code, once the user has successfully completed the installation. This code can be delivered separately to each user as an additional security measure to ensure identity verification.

Integration

FireID is designed to integrate into existing infrastructure to provide strong authentication services. It integrates with Microsoft Active Directory in realtime. “Unlike other authentication solutions, which perform a regular synchronisation to the directory resulting in conflicts and out of date information, FireID integrates directly and all data remains stored in the directory,” Stanford notes.

This allows administrators to continue using Active Directory management tools to manage their user base. To enable FireID for Microsoft Windows logons, a small replacement FireID Windows logon application can be deployed automatically using Microsoft network management tools to all workstations. Via RADIUS, FireID is able to provide authentication to a multitude of network devices and software, such as routers, switches, VPNs, RAS, network servers and many more. XML-RPC support allows easy integration with any Web-based portal, site or service.

High-level security

FireID is designed from the ground up to be highly secure. All processes have been carefully scrutinised and designed with security in mind, and secure encryption is used throughout. FireID administrators have complete control over FireID tokens and can revoke or issue them accordingly.

The complete system, including configuration settings and downloaded product updates, can be backed up and restored rapidly. The FireID back-end server keeps itself up to date with the latest version via secure HTTP updates, ensuring that the latest product improvements are installed at all times.

Applications

LAN and WAN: FireID is able to provide secure authentication for a variety of corporate network resources for internal and external security. Microsoft Windows logons on workstations and servers can be protected, as well as logons on Linux servers and other server types using direct Active Directory integration or RADIUS/PAM. Other network devices such as switches, routers and firewalls can also be easily integrated.

Remote access/VPN: Protecting remote access mechanisms into the corporate network is crucial to prevent unauthorised access by external users. FireID is able to protect these resources with strong authentication by easily integrating with existing devices and software using RADIUS.

Web: FireID provides strong authentication to an external user base which accesses a Web service or application, such as Internet banking, e-commerce sites, commercial portals or document repositories.

Share this article:

Further reading: