TWO-FACTOR AUTHENTICATION

GOES MOBILE

First Edition September 2012 © Goode Intelligence

All Rights Reserved

Published by: Goode Intelligence

26 Dover Street London

W1S 4LY United Kingdom

Tel: +44.20.33564886 Fax: +44.20.33564886

www.goodeintelligence.com info@goodeintelligence.com

Whilst information, advice or comment is believed to be correct at time of publication, the publisher cannot accept any responsibility

for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity

with respect to any loss or damage caused or alleged to be caused directly or indirectly by what is contained in or left out of this

publication.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any

means, electrical, mechanical, photocopying and recording without the written permission of Goode Intelligence.

Goode Intelligence © 2012 www.goodeintelligence.com

CONTENTS

Market Analysis: The mobile phone as ultimate tokenless authenticator ............................... 2

Understanding the basics: What is Tokenless Two-Factor Authentication (2FA)? ................. 3

What is Two-factor Authentication? ................................................................................... 3

Key benefit of 2FA ............................................................................................................. 3

What is Tokenless 2FA? .................................................................................................... 3

It’s all about user choice! Self-management – the key to 2FA lifecycle management ............ 4

Benefits of user choice and self-management ................................................................... 4

More mobile phones than people – every phone can support tokenless 2FA ........................ 5

Is SMS a reliable method for OTP delivery? ...................................................................... 5

The importance of innovation in tokenless authentication ..................................................... 6

Innovate or fail! .................................................................................................................. 6

Innovation Case Study – SecurEnvoy ............................................................................... 6

The changing endpoint needs a rethink in 2FA technology ................................................... 7

Customer case study – Invensys........................................................................................... 8

Invensys 2FA Project ......................................................................................................... 8

What Goode Intelligence research tells us about mobile 2FA .............................................. 10

Mobile 2FA Adoption ....................................................................................................... 10

Tokenless Mobile 2FA Market Activity: Increasing sales erode hardware token market ... 10

Summary ............................................................................................................................ 11

Related research / about Goode Intelligence ...................................................................... 12

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 2 www.goodeintelligence.com

The mobile phone has become the de-facto device for business and leisure and is in the hands of the majority of the world’s population. Mobile phones have become the dominant computing platform for every part of our daily lives including communication (including business email), social networking, gaming, media consumption, navigation and even payment with the advent of Near Field Communications (NFC) technology. The mobile phone is the ultimate disruptive technology and authentication is not immune from its influence.

MARKET ANALYSIS: THE MOBILE PHONE AS

ULTIMATE TOKENLESS AUTHENTICATOR

This white paper from mobile security research and consultancy specialist, Goode Intelligence (GI) explores how mobile phones are transforming authentication and eroding the position of hardware token technologies as the dominant form in Two-factor authentication (2FA). GI first started its research into mobile phone-based authentication (mobile 2FA) products and solutions in the summer of 2009 and has discovered a number of key facts:

Mobile (tokenless) 2FA is considerably cheaper than hardware-based 2FA solutions including hardware tokens and smart cards

Mobile 2FA is easy to deploy and manage with provisioning taking a fraction of the time that hardware-based 2FA solutions can take

Mobile 2FA is ubiquitous in that it is available for all mobile phones, not just smart phones

In an age where users are bringing in their own mobile devices into the workplace and using consumer cloud-based services for business purposes, end-user choice is vital. Tokenless 2FA solutions must offer user choice through self-management functionality

GI’s research has uncovered examples of excellent technology innovation from vendors involved in mobile 2FA. Choosing a technology vendor with innovation as a primary pillar is key for end-users when making strategic buying decisions for authentication

As mobile 2FA is cost-effective, easy to deploy and available to billions of mobile phone users around the world, it is quickly becoming the de-facto technology to replace weak userid and password authentication solutions

Goode Intelligence White Paper Goode Intelligence’s white papers offer analyst insight from research extracted from primary sources including surveys, analyst reports, interviews and conferences.

GI Research Facts 35% of organisations have deployed mobile phone-based authentication

1

Mobile phone-based authentication has increased market-share from 5% in 2009 to over 20% by the end of 2011

2

By the end of 2014, 64 percent of 2FA sales will be mobile-based

3

1 Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:

http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition 2 Goode Intelligence primary research

3 Taken from “The mobile phone as an authentication device 2010-2014”. Published by Goode Intelligence, November 2009:

http://www.goodeintelligence.com/report-store/view/the-mobile-phone-as-an-authentication-device

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 3 www.goodeintelligence.com

UNDERSTANDING THE BASICS: WHAT IS TOKENLESS TWO-

FACTOR AUTHENTICATION (2FA)?

What is Two-factor Authentication?

Two-factor authentication (2FA) is an information security process in which two means of identification are combined to increase the probability that an entity, commonly a computer user, is the valid holder of that identity. 2FA requires the use of two reliable authentication factors:

Something the user knows, e.g. a password or a PIN

Something the user owns, e.g. a mobile phone, a hardware token or a smart card

In many 2FA solutions, possession of the second factor, “something that the user owns”, is demonstrated by knowledge of a one-time password (OTP). This OTP is either generated by the second factor in the possession of the user, e.g. a mobile phone, or by a trusted server that is then delivered to the second factor. This delivery can include SMS text messages.

Key benefit of 2FA

Reduces the possibility of an authentication credential being stolen and hacked. Passwords are static codes that are prone to theft, e.g. through a phishing, keylogging, or replay attacks. By utilising OTPs, a 2FA solution can avoid many of the weaknesses associated with static password solutions.

What is Tokenless 2FA?

Hardware tokens generating OTPs have been a common method for 2FA. For many years enterprise users have been carrying around hardware tokens for enterprise 2FA. But have hardware tokens had their day? Has a combination of high purchase and distribution costs, a move away from centralised support to self-service and security concerns created by high-profile hacks meant that alternative 2FA solutions are beginning to erode this once dominant technology? A credible alternative to hardware tokens are tokenless solutions. Tokenless solutions do not rely on proprietary hardware but instead make use of existing hardware that is already in the hands of users. They perform all of the security functions that hardware tokens offer, and in some cases enhance security, but are not reliant on expensive, single-use, hardware technology. The power of tokenless is especially strong when the device being utilised is a mobile phone.

GI Definitions 2FA: Two-factor

Authentication. Something the user knows and something the user owns or has

Tokenless 2FA: 2FA solutions that do not rely on proprietary hardware technology

OTP: A one-time

password is a password or code that is generated for only one login session

Credential: Identity

attestation issued by an authority to validate users at logon

Replay attack: Where a password is intercepted or stolen and then replayed by an imposter user to get unauthorised access to a computer or network

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 4 www.goodeintelligence.com

IT’S ALL ABOUT USER CHOICE! SELF-MANAGEMENT – THE

KEY TO 2FA LIFECYCLE MANAGEMENT

Choice is a frequently used word in IT at the moment.

The choice for an employee to bring in their own personal device to the workplace and use it

for business purposes; where device can mean smart phone, tablet computer, netbook,

laptop or MacBook.

The choice to share information with friends and colleagues using agile cloud-based

services such as Dropbox and Box.

The choice to communicate with friends and colleagues using social network tools such as

Facebook, Twitter and LinkedIn.

Is choice relevant to information security and in particular is it relevant to 2FA? On the

surface you would think not as it goes against some of the tenants of information security;

strict information security policy drive technology controls that are deployed by central IT and

information security functions. This does not really sit well with user choice; or does it?

Will bring your device (BYOD) turn into bring your own token (BYOT)? Over two-thirds of organisations now support BYOD and many are using tools such as Mobile Device Management (MDM) to enforce security policy.

4 These employee-owned devices are also being

utilised as authenticators; soft tokens running as mobile apps – Bring your own token (BYOT)

Are we able to put the user in control whilst at the same time ensuring that information

security policy is met? GI firmly believes that the two can coexist with each other for 2FA

solutions by:

1. Choosing an authentication technology partner that puts the user in control but also

allows authentication security policy to be met

2. Allows administrators to create the technology framework to support choice

3. Allows the end user to choose the authentication device of choice

4. Supports any mobile phone, not just smart phones that can run mobile apps

5. Allows the user to swap seamlessly between mobile phones without incurring

additional license cost

Benefits of user choice and self-management

Modern enterprise IT is all about providing users with choice and information security should

not be immune to this trend. It is important that authentication solutions provide the user with

choice; putting the user in control of what authentication device (mobile phone) they want to

choose. A core strength of today’s authentication solution should be the offer of self-

management; empowering the user to manage their own authentication service, thus

removing the onus on administrators of authentication lifecycle management.

4 Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:

http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 5 www.goodeintelligence.com

MORE MOBILE PHONES THAN PEOPLE – EVERY PHONE CAN

SUPPORT TOKENLESS 2FA

It is forecast that shortly there will be more mobile devices than people on this planet

(forecast for just over seven billion people in 2012)5. Ericsson, the mobile network

technology vendor, forecasts that by 2017 there will be nine billion mobile phone

subscriptions.6

Forecasts for 2011 indicated that there were around six billion mobile phone subscribers

around the world with predictions that this figure would rise by 500 million, to a total of 6.5

billion, by the close of 2012.7

6.5 billion mobile phone subscribers by the end of 2012

Every one of these mobile devices has the capability to support tokenless 2FA, either

through the receipt of SMS text messages containing OTPs or by utilising a mobile app that

generates the OTP on the device itself. Two-factor authentication is within easy reach of the

majority of the world’s population without the need to issue and manage any additional

hardware – that is over six billion potential authenticators. That means tokenless 2FA for any

mobile device, anytime from anywhere in the world.

Is SMS a reliable method for OTP delivery?

There is occasionally an issue with reliability of OTP delivery with SMS text message-based

2FA solutions. Mobile network operators (MNOs) cannot guarantee SMS text message

delivery within an acceptable timeframe for 100 percent of all SMS messages delivered.

There are times when the mobile network is overloaded, e.g. peak times at events and

natural disasters, and other times when network coverage is either poor or non-existent, e.g.

an IT engineer in a data centre that may be underground or protected from radio.

Late delivery of an OTP contained in an SMS text message can be problematic for a time-

critical login that can mean no access to critical enterprise resources. To overcome this

tokenless 2FA vendor, SecurEnvoy, has developed a patented pre-loading feature where

5 United Nations world population figures

6 Ericsson: http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers – Please note that this forecast is

for subscriptions. One mobile phone subscriber can have multiple mobile phone subscriptions. 7 http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 6 www.goodeintelligence.com

the problem of poor mobile phone network coverage is removed by the ability to pre-load

OTPs.

Pre-loaded one time codes are an innovation from SecurEnvoy that gets over the problem of guaranteeing the receipt of SMS text messages. There are situations, e.g. peak-times for SMS traffic or when a mobile phone user is outside of network coverage, when an SMS text message cannot be delivered to a user within a timely manner. This can be critical if you are using SMS to deliver an OTP for remote network access. By pre-loading one time authentication codes each time (three codes are sent with each SMS text message) a user initiates a logon session this issue is resolved

THE IMPORTANCE OF INNOVATION IN TOKENLESS

AUTHENTICATION

Innovate or fail!

There are many examples in the history of information technology where market-dominant

technology vendors have seen a steep-decline in fortunes as a result of a failure to keep

innovating. The IT and telecommunications graveyard is full of organisations that, instead of

keeping innovation central to their strategy, have relied on technology that may have been

disruptive and innovative in a previous IT age. The current problems that technology vendors

such as Research In Motion (RIM) and Nokia are facing testify that companies must strive to

innovate and successfully get that innovation to market.

The mantra of innovate or fail is as true in the world of information security and

authentication as it is with other areas of IT and telecommunications. One authentication

vendor that views innovation as key to its success is SecurEnvoy.

Innovation Case Study – SecurEnvoy

Tokenless mobile phone-based authentication has been around as a concept since the late

1990s and as a product since the early part of the current century. SecurEnvoy has been at

the vanguard of innovation (see figure 1 for a timeline of SecurEnvoy’s innovation) in

tokenless authentication since 2001 when the first pre-loaded one time code was sent to a

mobile phone.

Goode Intelligence applauds SecurEnvoy’s track record of innovation in tokenless

authentication from its early beginnings in 2001. Its record for innovation includes using

mobile 2FA for password resets (2006), tokenless cloud-based authentication with

SecurCloud (2009) and continues into the present with supporting the use of its tokenless

authentication for enterprise-grade disk encryption solutions.

Future product releases will build on this strong track record in innovation and will include

solutions to use one time codes to ‘session lock’ the voice network to the browser’s current

network connection for phone call-based authentication.

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 7 www.goodeintelligence.com

Figure 1: SecurEnvoy – Timeline of tokenless innovation

Source: Goode Intelligence, July 2012 (data from SecurEnvoy)

THE CHANGING ENDPOINT NEEDS A RETHINK IN 2FA

TECHNOLOGY

We are witnessing diverse and fundamental changes in how enterprise IT is accessed and

consumed. A combination of smarter connected consumer devices and cloud-based

enterprise services is leading to a revolution in how employees access enterprise IT

resources.

Company-issued laptop computers have been the de-facto endpoint computer device for

accessing enterprise IT resources when away from the office. Laptop computers are

equipped with serial and USB ports that allow devices, such as smart card readers and USB

memory sticks, to be easily attached and used. Smart cards and USB-based authenticators

have been methods in which 2FA has been supported. However, as falling laptop sales

testify, the laptop is losing its grip on being the prime enterprise mobile computing device.

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 8 www.goodeintelligence.com

In recent years the trend has been to complement, and even replace, enterprise laptop use

with a new breed of smart connected devices. Commonly these new smart mobile devices

(SMDs) are smart phones and tablet computers running mobile operating systems.

Additionally the enterprise is been extended out to a new range of connected intelligent

consumer devices that offer similar levels of functionality as smart phones and tablet

computers. It is feasible that access to enterprise resources could well be pushed out to

Smart TVs, games consoles and other touch-screen consumer devices.

The changing nature of enterprise IT requires a good long-term strategy and involves a good degree of future-proofing and authentication is certainly not immune from this

These are consumer devices and, in the main, do not offer the same levels of local

connectivity that a laptop computer does. If an organisation has adopted hardware-based a

2FA solution that requires either a physical connection, certificate or pre-installed software

on an enterprise owned device than this investment would be redundant in this new age.

As a result of this change, organisations should embrace 2FA technology solutions that have

a zero footprint at the point of authentication; thus accommodating both existing connection

points on any present or future device. This approach is more in-tune with the changing

nature of enterprise IT. Goode Intelligence believes that tokenless mobile 2FA currently

offers the best solution to provide strong authentication for the new breed of remote

enterprise workers.

CUSTOMER CASE STUDY – INVENSYS

Invensys is a UK-based FTSE100 engineering conglomerate with revenue of nearly £2.5

billion (2011) employing more than 20,000 staff around the world. The company is

comprised of three companies; Invensys Rail, Invensys Controls, Invensys Operations

Management.

Historically, each of three businesses was run independently, including its IT infrastructure

services. To streamline its operation, Invensys introduced a global IT infrastructure division

with a remit of developing shared IT services across all three of the business units. This

included remote access services with a vision of creating a single solution to support

employees’ accessing Invensys IT resources remotely. Naturally, user authentication is a

vital part of this shared infrastructure.

Invensys 2FA Project

Back in 2009, Invensys Rail was using a hardware token solution to provide user

authentication for its remote access service. The hardware 2FA solution was not without its

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 9 www.goodeintelligence.com

problems; despite being run as an outsourced service Invensys Rail found it to be time

consuming and costly to operate. One key issue was availability of the hardware token when

end-users really needed it. Users were often without their tokens when they were required to

connect to the Invensys Rail IT network remotely.

A decision was made to replace the hardware token solution with the key project drivers

being:

1. To reduce the cost of the current hardware token 2FA solution; calculated as $8 per

person per month for hardware token.

2. To reduce the time it took to deliver 2FA credentials to users; calculated as taking

“around ten days”.

The task was given to David van Rooyen, principal solutions architect, responsible for

Invensys’ telecommunication based infrastructure strategy. After developing the

requirements and evaluating the technology available, Van Rooyen decided to deploy a

mobile phone-based 2FA solution provided by SecurEnvoy - SecurAccess. Van Rooyen

outlined how the SecurEnvoy solution fulfilled Invensys’ requirements for an agile cost

effective 2FA solution; “Provisioning a physical token for one of our users takes around ten

days compared with five minutes provisioning a soft token, so the man hours are vastly

reduced as well as the costs of shipping them out. I’ve completed a full business analysis

and found that $8 per person per month is what it was costing for a physical token versus $2

per person per month for a soft token. When you replicate that across 15-20,000 users, the

savings are in the millions.”

Table 1: Key benefits: Hardware token vs. Tokenless - Cost reduction and Time saving

Hardware Token Tokenless

Cost Reduction ($) $8.00 per user per month $2.00 per user per month Time Saving (Provisioning single token)

10 days 5 minutes

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 10 www.goodeintelligence.com

WHAT GOODE INTELLIGENCE RESEARCH TELLS US ABOUT

MOBILE 2FA

Goode Intelligence is a leading authority in mobile security and has been covering the

mobile phone-based authentication market since 2009 when it first published its report ‘The

mobile phone as an authentication device’. Since that report was published GI has noticed

the steady rise in the adoption of mobile phone-based authentication solutions.

Mobile 2FA Adoption

In Goode Intelligence’s annual mobile security survey (GI mSecurity survey report) there has

been a steady rise in the adoption of mobile phone Two-factor (2FA ) authentication

solutions from zero adoption in 2009, rising to 22 percent in 2010 and standing out 35

percent in the last survey from late 2011 (with a further six percent planning to deploy).

Figure 2: The percentage of organisations that have adopted the mobile phone as an

authentication device – 2009-2011

Tokenless Mobile 2FA Market Activity: Increasing sales erode

hardware token market

In terms of market activity, Goode Intelligence’s market analysis (started in the summer of

2009) suggests a steady annual increase in the sales of mobile 2FA solutions.

In 2010, data harvested from end-users and technology vendors, suggested that around five

percent of global 2FA sales were mobile-based. A follow-up study in 2012 discovered that

this figure was now over 20 percent. A forecast, made by GI in 2009, suggested that by the

end of 2014, 64 percent of 2FA sales will be mobile.8

By 2012, 64 percent of total 2FA worldwide sales will be mobile-based

8 Taken from “The mobile phone as an authentication device 2010-2014”. Published by Goode Intelligence, November 2009

2009

2010

2011

0%

22%

35%

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 11 www.goodeintelligence.com

SUMMARY

Mobile phones offer organisations that are evaluating their end-user authentication strategy

a realistic alternative to both single-factor, userid/password, and hardware-based (single-

user devices) two-factor authentication solutions.

This white paper has explored how mobile 2FA is meeting the needs of modern IT functions

that require agile, cost-effective and easy to deploy/manage two-factor authentication

solutions.

The market for mobile 2FA will continue to grow and it is on course to become the dominant

force in two-factor authentication.

End-users who are reviewing their authentication strategy must seriously consider mobile

2FA as a viable solution.

End-users should ask potential authentication partners these important questions when

evaluating a suitable 2FA technology solution:

Does the solution offer an end-user choice in what mobile phone they can use for

2FA purposes?

Can the end-user make these choices through a self-management function?

Does the mobile 2FA solution work on any phone, in any region and any time?

If the solution is SMS-based, how is the problem of delayed SMS delivery and poor

network coverage resolved?

How easy is it to re-provision an end-user when that user changes their mobile

phone and is there any additional cost involved in this process?

What track record does the potential technology partner have for innovation and will

innovation continue to be important for future product releases?

Should allow 2FA on any device – allowing zero footprint at the point of login

Two-Factor Authentication Goes Mobile

Goode Intelligence © 2012 P a g e | 12 www.goodeintelligence.com

RELATED RESEARCH / ABOUT GOODE INTELLIGENCE

The mobile phone as an authentication device 2010-2014 (Published November 2009)

Mobile Phone Biometric Security – Analysis and Forecasts 2011-2015 (Published June 2011)

GI mSecurity 2011 Survey Report Premium Edition (Published April 2012)

mBiometric Series – Insight Report: Mobile Fingerprint Biometrics (Planned publication

September 2012)

Mobile Financial Services (MFS) Series - Insight Report: Mobile Banking Security (Planned

publication October 2012)

Smart Mobile Identity – the next wave of mobile identity and authentication solutions

(Planned publication December 2012)

For more information on this or any other research please visit www.goodeintelligence.com.

Since being founded by Alan Goode in 2009, Goode Intelligence has built up a strong

reputation for providing quality research and consultancy services in mobile security. This

document is the copyright of Goode Intelligence and may not be reproduced, distributed,

archived, or transmitted in any form or by any means without prior written consent by Goode

Intelligence.