VoIP: Two Factor Authentication Leverages the Uniqueness of a Phone Number


By Jeff Erlichman, 1105 Government Information Group Custom Media

Currently, most two factor authentication technologies require the user to have a physical smart card or token. But what if there was an alternative – and there is.


Two factor authentication requires users to produce two credentials – something they have (e.g., smartcards or hardware tokens), and something they know (e.g., a password). Where it is required, in order to access a system, a user must produce both factors and they must be verified.


Smart Cards (e.g. DOD CAC cards) and hardware tokens are the most common forms of two factor authentication. But there is a new method now available – and it doesn't require a smartcard or a token.


“The product itself is brain dead simple, but it does have some interesting attributes because it uses the phone – and everybody uses the phone,” explained Steve Dispensa, CTO at PhoneFactor in a recent interview with 1105 Government Information Group Custom Media.


The public telephone network is based on 100 year old technology; it is woven into the fabric of our society. Worldwide there are nearly 4 billion mobile phones and 1.5 billion land lines said Dispensa.


What PhoneFactor’s two factor authentication solution does is leverage the uniqueness of a person’s phone number.


It works this way according to Dispensa. “Say you are banking online and you bank using PhoneFactor. You pull up your bank's website, you enter your user name, your password and click on sign in,” described Dispensa.


“At that point the bank will double check to make sure your user name and password are correct and if they are, the bank will make a phone call to a (your unique) preregistered phone number. Then you get a call from the bank saying ‘hi this is the bank, we see someone logging in, press # if it’s really you.’ You press # and before your hand is off the # key your browser is refreshed and you are looking at your check register or what have you.”


The whole thing is really easy for users to use, really easy for enterprise users to use, and pretty straightforward for a web implementation said Dispensa.


So, what does this have to do with VoIP?


VoIP counts as an enterprise application – and it is an Internet application said Dispensa. “They are data streaming applications. It's voice service but of course it's contained in good old fashioned IP packets – that's VoIP.


What that means said Dispensa is that those conversations are easily snooped if you don't have some kind of a VPN.  “And of course nobody is careful about what they say on the phone and very few people worry about wire taps. They just don’t.”


What that means to an IT professional is that is users are going to use VoIP remotely you are doing it over some kind of encrypted channel. “Well, guess what those encrypted channels are?” asked Dispensa rhetorically. “They are VPNs and those are exactly the kinds of channels, the exact kinds of VPNs that people will steal user names and passwords for.”

cell phone

PhoneFactor's two factor authentication solution leverages the uniqueness of a person's phone number.

Because VPNs are a publically available service, you need two factor authentication, said Dispensa.”With PhoneFactor even if somebody did want to sign into a VPN to try to eavesdrop on a conversation, they simply couldn’t do it because the real user's phone would ring, not the attackers.”


PhoneFactor for Government
Dispensa said PhoneFactor enables government agencies of all sizes to secure access to their confidential data and critical systems by adding two-factor authentication to remote access VPNs; corporate email; Citrix interfaces; terminal services; single sign-on systems; RADIUS applications; and intranet sites.


Further he said PhoneFactor complies with FIPS standards and DHS directives. And with no tokens to mail and nothing for users to install, Dispensa said it’s easy and cost effective to enable PhoneFactor for all employees (even temporary or seasonal workers) and partners.


“Users love it because there's nothing extra to carry and no long, complex PINs to enter. IT loves it because it's a snap to manage.” Learn more at www.phonefactor.com.