Two-factor authentication, or not two-factor?
The notion of true multifactor authentication is based on the concept of combining into a single authentication mechanism something you have, something you know and something you are. Combine two or more of these and you have multifactor authentication. However, this month's First Look asks the question, "Do you really need true multifactor authentication to get the same benefits?" SyferLock Technology has answered that with a resounding "No!"
This month, we looked at SyferLock's GridGuard and GridAdvanced products that offer, in the company's words, "next generation one time passwords" (OTP). The idea behind OTP is not a new one, but these passwords are, typically, generated by hardware tokens at a price of tens of dollars each. For some high security applications, this rather high cost certainly is justified. However, for mass market applications, something else is needed -- something easy to learn and use, something reliable, and something inexpensive to buy, implement and manage.
A few months back we looked at a product that uses a cell phone as an authentication mechanism. That is one way to solve the problem using a new factor: somewhere you are. GridGuard takes the tried and proven process of OTP and adds an interesting twist - there is no token. I liked this product a lot for three reasons: it is cheap to buy, implement and manage. It is real, true strong authentication. And it is easy to learn and use. For example, this has been implemented in senior citizens communities where help desk calls tend to be more frequent than in other types of implementations. People who were just learning to use computers had no trouble learning to use GridGuard.
There are several ways to use the SyferLock product. Let's start with the easiest as an example. In this example, the username and password can be the same. First, the idea behind GridGuard. The tool consists of a pad, or grid, made up of squares that each hold a character. In one version of the product, there is a square for each upper case and each lower case character of the alphabet, plus a square for each number and special character, such as the #, @ or ! symbols. In another, there is just a number pad. In each of the four corners of each of these squares is a number. This number changes randomly with each new use. The user simply registers a password (it can be anything since the real password changes with every use) and which of the four corners they want to generate the pass-code.
When it is time to login to a protected system, the user enters the ID and password as always. However, when entering the password, the user does not type it. Rather, they type the number appearing in the selected corner of each character of the password. This generates, in effect, a one-time pass-code based on the password. So now we have a new factor: something you do.
At any time, the user can re-select the corner of the square without help desk assistance. The user also can change the password and for very low security applications or applications where users are not likely to remember both a username and password, the username can be used as the password with limited risk. However, this offers the possibility of easier compromise if someone finds out the user's username.
There are very few downsides to this approach. One is that there is an implied knowledge of the password. Thus, if someone is able to guess the user's password, or if the user shares the password, all bets are off. However, the real dangers of reusable passwords, such as interception and keyloggers, are defeated.
The SyferLock products integrate easily with existing systems, such as Microsoft OWA, Citrix, .net, Java and Juniper. There is an API, so creating custom implementations is straightforward. It is deviceless, so there is nothing to install on the user's machine.
Priced at $10,000 per server for the server-side software, and a maximum of $10/year per user license, this is a very reasonably priced product. When very large numbers of users are required, the annual license per user goes way down. Also, the product works in multiple languages and character sets (Arabic and Greek, for example) so users can formulate passwords in their native languages and alphabets.
Support is available directly from SyferLock and the company's website is reasonably complete, although I would like to see a bit more in the support page (e.g., FAQ, manual downloads, etc.) and the company information is a bit thin.
AT A GLANCE
Product: GridGuard 2Form and GridAdvanced
Company: SyferLock Technology Corporation
Price: $10 per user per year annual license, plus one time $10,000 fee per server instance/license, maintenance included.
What it does: Provides a one-time password generated in a unique manner.
What we liked: This is, hands-down, the easiest to use OTP product I ever have seen. It is acceptably secure for what it does and it is priced reasonably.
What we didn't like: The website is a bit too heavy on online marketing brochure information and a bit too light on really useful information. I would like a more complete support section, and I would like to know more about the company itself.