SMS Passcode A/S
This is not the first time we've seen a product such as this one and we confronted the presenter with that at the Security Innovators Throwdown. By their own admission, there are perhaps 20 other companies that use some variant of their authentication approach. So what makes them an innovator worthy of being in the top five at the Throwdown? The company claims to be the leading provider of SMS-based two-factor authentication technology and, perhaps, that is true. But in our view, that is far less important than the product itself, which certainly has some very nice features.
When we asked why they are in this market, the answer was clear: ease of use and supplanting tokens. That is a theme that we have seen repeatedly. The use of tokens is a critical path to strong authentication, but hardware tokens can be expensive and tricky to implement for lay users. So there are a lot of companies trying to find easy-to-use, inexpensive, strong authentication methods. This one is, by any measure, one of the sure winners.
A couple of years ago, we reviewed a similar product. We were only moderately impressed. We found several ways to make it less than useful; for example, working in a data center underground where the signal could not penetrate. Or how about all of those people who work in high security spaces where cell phones are not permitted? If you are depending on your cell phone to authenticate you to a computer or network, you're toast. That sort of obviates the use of this method of strong authentication for a big piece of the market that really needs it. When we brought that up to SMS Passcode they were unconcerned. "No problem," they told us. "We have a solution for that problem." Now they had our attention.
SMS Passcode has several rollback options that allow the user to use an alternative method to login if necessary. However, according to the company, SMS codes often can reach cell phones when a conversation might not be possible. To be sure, there may be situations where this form of authentication would not be the best choice, but in our view those would be pretty specialized. That said, the company has done some things to move the technology solidly into the market, and not all of those things target the business community. Consumers need to authenticate to systems too, and that is a piece of the marketing strategy.
The consumer market got a wake-up call recently when the Zeus trojan proved that it could snatch one-time passcodes and IM them to hackers. That means that accessing a bank account is a bit more dangerous now than in the past. That opens a consumer market for SMS Passcode.
More important in our view, though, is the need to work with the corporate world. SMS Passcode has done that by working with companies such as Citrix toward an integrated two-factor authentication product. This is important, but it may be eclipsed by the technology in this case. The key, according to the company, is avoiding a pre-issuance passcode. That means that the user receives a code to use before authenticating. An example is a time-based token. The user clicks the button on the token and it generates a code that is good for some period of time. The user then logs in with ID and PIN, gets a prompt and sends the passcode generated by the token. If login fails, it may be possible to try again using the same code.
In contrast, SMS Passcode requires a login and authentication, and then the passcode is generated and sent to the SMS phone. The user can then login. The code is only valid for a single login effort and, if that fails, a new code must be generated. If the code is intercepted after the user enters it, the code is useless.
This is an important distinction because the code is delivered out of band - by SMS instead of to the computer or application - and it is unlikely that it could be intercepted and used before the legitimate user receives and keys it in. We find that to be extremely innovative - if somewhat intuitive - and that certainly got our attention at the Throwdown. It also sets up several rollback scenarios, including delivering the code directly to the computer if necessary.
One downside of this product at the moment is that you need to buy it from the company. Review of the website failed to reveal a reseller in North America. While that is not a deal breaker in most cases, it does have an impact since support also must come directly from the company at the moment.
Product: SMS Passcode
Company: SMS Passcode A/S
Cost: Starts at $2,095 for a five-user starter pack.
The problem it solves: Strong authentication at a low cost.
What we liked: Ease of use and reliability.
What we didn't like: I would like to have seen a reseller in North America that could sell, deploy and support the product. It appears that business is lagging the fine technology.