With more business owners and information technology managers using payments networks with smartphones and other mobile devices, Trustwave figured it was time to put up more walls of defense to keep out hackers.
The Chicago-based data security and compliance provider has upgraded its cloud-based MyIdentity software to include a smartphone password-access option as an additional layer of security for entry to a virtual private network from a remote location.
Trustwave could benefit from the timing of the software upgrade and its offering of a cloud-based network-access system, considering last spring’s security breach at EMC Corp.’s RSA Security. That incident continues to raise questions about the effectiveness of RSA SecurID tokens.
MyIdentity eliminates the need for physical or “hard” tokens because it uses “soft” or cloud-based software tokens for a single use, meaning they cannot be misplaced or lost, Brian Trzupek, Trustwave’s vice president of managed identity and digital certificate, tells ISO&Agent Weekly.
Trustwave calls MyIdentity a two-factor authentication software because it combines a company’s current network-access passwords with five different options for a second layer of authentication.
The company added MyIdentity Mobile as a smartphone option for second authentication in which the user downloads a Trustwave application that generates a one-time passcode, eliminating the need for users to guard a static password.
Other second-authentication options include a log-in alert confirmation screen sent to a mobile phone for acceptance or denial of an access request; text message codes sent to a mobile phone; a voice call-back to a landline or cell phone allowing push-button prompts for access; or creation of encrypted digital certificates.
MyIdentity incorporates the “trust on first use” model, meaning the merchant or network administrator would access the company network by first using their own password or authentication method, Trzupek notes.
“The authentication method a company is currently using has been ‘good enough’ to allow access, so why can’t Trustwave rely on that method to validate the user so we can then enroll them in additional levels of security?” Trzupek says. “It basically trusts the existing credentials to allow enrollment of new ones.”
The software then asks the user to choose a second authentication method from the five options, he adds.
Besides providing more security and giving the clients options for using a smartphone to obtain a password, the MyIdentity software represents a cost savings, Trzupek contends.
Costs can quickly mount for companies using physical tokens, such as the RSA SecurID tokens, which generate a one-time password for network-access authentication, Trzupek says.
Companies deal with “a lot of clumsiness and cost” associated with shipping physical tokens, then registering and providing PINs for authorized employees, establishing centralized log-in data and, at times, dealing with replacing lost or expired tokens, Trzupek suggests.
While no network can ever boast it is completely secure from unknown threats, an industry analyst suggests MyIdentity has succeeded in rolling various different security methods into one offering.
“It [two-factor authentication] is a great idea that mimics what banks have been doing for some time in adding layers of defense when dealing with high-value transactions,” Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells ISO&Agent Weekly.
The digital certificate is a “tried-and-true method” because of its encryption log-in process to obtain access to a network, McNelley says.
“No method is impervious to the bad guys, but the extra layers make it more difficult,” she adds. “All of these methods will work 90% of the time, but the sophisticated fraudsters are always working to find their way in.”
If the user chooses digital certificate identification, Trustwave sends the certificate, consisting of a text file with random numbers, that the user must send back with an assigned user name and password for authentication and network access.
The seemingly low-tech authentication option involving a voice call-back to a phone landline is useful to some corporations with secure data centers in underground facilities that lack cell-phone or wireless-fidelity connectivity, Trzupek says.
The variety of authentication methods means the user is not locked into the same method and can make a choice at the time of access, Trzupek notes.
“MyIdentity definitely helps online merchants, but many brick-and-mortar organizations have an online presence or cloud-based payments systems, so it fits for both,” Trzupek suggests.
Trustwave offers free trials of MyIdentity to prospects, Trzupek says. Pricing is based on the number of users. The Trustwave website lists the cost for a business with 50 users at $3,628 a year, but offers discounts for corporations with 250 or more users.
