Teijo Mustonen, R&D Director, Tosibox Oy
Do you solely count on passwords to protect your and your company’s data? It doesn’t matter if you answer yes or no, keep on reading anyway. You will discover that receiving security codes by SMS can get you into almost as nasty trouble as if there were no codes at all.
In the world of identity thefts and corporate espionage, security is a great asset and identification of users essential. 2FA, two-factor authentication is often confused with two-phase authentication. Two-phase authentication means inserting the same piece of information into two mediums, whereas 2FA means that the user authenticating him-/herself must have two mediums in his/her possession.
Confirming the account owner’s identity originated from security questions such as “what’s your mother’s maiden name” or “what was the name of your first pet”. Authentication has then expanded from this type of questions and back-up email addresses to security codes sent by SMS.
Ways of authenticating have developed dramatically in recent years. Let’s go over them in the following.
This is generally perceived as the minimum amount of identification required. For example, you cannot even open an account in the WhatsApp messaging service unless you provide a phone number through which the account is authenticated with a separately sent code. Since more and more people are communicating and using the Internet with their smartphones, identification by SMS or phone call is agile.
However, the world is familiar with several cases in which the attacker has managed to gain control over the user’s phone number. Usually this is done by fooling the telephone company’s customer service. This way the attacker can access the verification codes that will to be sent to the user, as well as the user’s SMS or call-verified accounts.
Google, for example, offers an identification app. Similarly, banks such as Nordea prefer authentication that takes place with an additional application. Both of these require a password or – in the case of Nordea – a username.
Using an identification app is more secure than the SMS or call confirmation. However, the disadvantage is that the applications need to be reinstalled when upgrading your phone. What can make their use exceptionally challenging, are application provider’s conditions in case your phone is ever stolen. In a situation like this, some banks require you to pay a visit to their office for verifying identity before the application can be downloaded again.
Not long ago, at the beginning of this millennium, the sign of a self-respecting organization valuing security was RSA’s SecurID token. One of its customers was the Finnish company Nokia back during its days of glory.
Later, physical authentication keys have been introduced, among others, by Google. However, its Titan security key is so far available only in the United States.
The search engine giant’s identification key works by connecting it to a computer’s USB port. Other similar solutions are provided for example by Yubico, who even utilizes biometric identification in some of its authentication keys.
The good thing about physical keys is that their users do not have to rely on their phone, whose battery can die or whose number can be hijacked.
In consumer usage, the biometric identifier is most often fingerprint authentication, but face recognition and iris recognition are becoming more common as well. Biometric identification methods are considered the most secure, even though smartphone identifiers have been fooled with, for example, photographs, gummy bears and contact lenses.
Developing technologies have still many differences, and the functionalities are uncertain, especially in technology aimed at consumers. As a means of identification, however, they provide an excellent additional layer to the multi-step identification that provides more security along other means of identification.
TOSIBOX® solution is secured by two-factor authentication (2FA). Users receive TOSIBOX® Key with 2048-bit RSA encryption. With TOSIBOX® Key, a secure connection can be established to one or more TOSIBOX® Locks to control devices attached to the Locks. The Lock, in turn, protects the outer edge of your corporate network through a VPN tunnel as the firewall that connects to the Key via the VPN tunnel.
Through TOSIBOX® Key, access rights can be easily and safely extended to software or mobile. As an additional option, TOSIBOX® Mobile Client and TOSIBOX® SoftKey function as sub-keys to TOSIBOX® Key. Two-factor authentication is also available for Mobile Clients and SoftKeys: they’re device-specific and password protected.
TOSIBOX® solution meets the high security standards of the industry, keeping your data safe from even the most inventive hackers’ tricks.
“The good thing about physical keys is that their users do not have to rely on their phone, whose battery can die or whose number can be hijacked.”
Teijo Mustonen, R&D Director, Tosibox Oy