Trustwave Pushes Two-Factor Authentication via Smartphones

As more banks allow smartphones to remotely access sensitive systems, they may need to beef up their security for handhelds.

To this end, Trustwave, a data security and compliance provider based in Chicago, has upgraded its cloud-based MyIdentity software to include a smartphone password-access option for those connecting to a virtual private network from a remote location.

MyIdentity eliminates the need for physical or "hard" tokens because it uses software, which cannot be misplaced or lost, says Brian Trzupek, Trustwave's vice president of managed identity and digital certificate.

Trustwave considers MyIdentity to be two-factor authentication because it combines a company's network-access passwords with any of five different options for a second layer of authentication.

The MyIdentity Mobile option generates a one-time passcode, eliminating the need for users to guard a static password.

Other second-authentication options include a log-in alert confirmation screen sent to a mobile phone for acceptance or denial of an access request; text-message codes sent to a mobile phone; a voice call-back to a landline or cell phone allowing push-button prompts for access; or creation of encrypted digital certificates.

MyIdentity incorporates the "trust on first use" model, meaning the merchant or network administrator would access the company network by first using their own password or authentication method, Trzupek says.

"The authentication method a company is currently using has been 'good enough' to allow access, so why can't Trustwave rely on that method to validate the user so we can then enroll them in additional levels of security?" Trzupek says. "It basically trusts the existing credentials to allow enrollment of new ones."

The software then asks the user to choose a second authentication method from the five options, he says.

Costs can quickly mount for companies using the traditional method of physical tokens, Trzupek says.

Companies deal with "a lot of clumsiness and cost" associated with shipping physical tokens, then registering and providing PINs for authorized employees, establishing centralized log-in data and, at times, dealing with replacing lost or expired tokens, Trzupek says.

While no network can ever boast it is completely secure from unknown threats, an industry analyst says MyIdentity has succeeded in rolling various different security methods into one offering.

"It [two-factor authentication] is a great idea that mimics what banks have been doing for some time in adding layers of defense when dealing with high-value transactions," says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.

The digital certificate is a "tried-and-true method" because of its encryption log-in process to obtain access to a network, McNelley says.

"No method is impervious to the bad guys, but the extra layers make it more difficult," she says. "All of these methods will work 90% of the time, but the sophisticated fraudsters are always working to find their way in."

If the user chooses the digital certificate identification process, Trustwave sends the certificate, consisting of a text file with random numbers, that the user must send back with an assigned user name and password for authentication and network access.

The seemingly low-tech authentication option involving a voice call-back to a phone landline is useful to some corporations with secure data centers in underground facilities that lack cell-phone or wireless Internet connectivity, Trzupek says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER