Tokenless authentication puts a stop to PRISM
Date: Oct 10, 2013
Guest post: SecurEnvoy.
Security company RSA, the developer of two-factor authentication with RSA SecurID tokens, recently issued a warning about its own software. The random number generator built into the BSAFE SDK had possibly been manipulated by the NSA, creator of the much discussed PRISM surveillance program.
In contrast, the two-factor authentication solution from SecurEnvoy can block the NSA. The SecurEnvoy solution does not require dedicated tokens and instead uses mobile devices such as smartphones, tablets, etc., to receive passcodes. And the required cryptographic keys – so-called seeds – are not generated or stored at any point in time by SecurEnvoy.
A seed, or a seed record, is a symmetric key that the hardware authenticator and the authentication server swap with each other. The seed is composed of two parts, the first of which is generated by the local authentication server. This is sent, encrypted, as a QR code to the user’s mobile device. Using this information, the device creates the second seed part and sends an 8-digit code, also encrypted, back to the server. This means, uniquely, the seed record generated by the customer is split into two parts, neither can be compromised in isolation. During the process, this seed data is not visible and is not stored on the server at any point in time. The mobile device thus has a unique “fingerprint” with which the sender can be unambiguously identified. When a new passcode is created, the second seed part is also regenerated.
A unique feature of the SecurEnvoy approach is the flexibility of the authentication methods available. The user can choose between using SMS, e-mail, soft token app for smartphones and tablets or – new in the latest Version 7 – voice call via landline or mobile phone connections. For the SMS and e-mail options, there are also four subcategories available: preloaded codes, on demand, messages containing three codes and periodically-sent codes. Therefore the user is not dependent on certain devices being available. Nor is it necessary to have an Internet connection or mobile phone reception.
This range of options is now being expanded with the addition of new “One Swipe” technology: after entering a PIN, the user scans a one-time valid QR code using a webcam on their computer or laptop. This enables unambiguous identification even when there is no network connection available.
“Our encryption and seed generation provide complete security for users,” explains Andy Kemshall, Technical Director at SecurEnvoy. “We also guarantee that we, the developers of the solution, can at no point view or manipulate the generated seeds. So all SecurEnvoy users can enjoy security and anonymity, as well as flexibility in terms of the authentication method used.”