Canadian Security Magazine

News Data Security
CryptoCard turns BlackBerry into software token for two-factor authentication

The financial services sector in the U.S., along with HIPA and Sarbanes-Oxley regulations, are strongly recommending the use of two-factor authentication. And this is starting to have a trickle-down effect here in Canada.



August 16, 2006
By Vawn Himmelsbach

Topics

Two-factor authentication involves using your own unique password along
with a one-time password generated by a token (typically a hardware
token that could be attached to a key chain). Users would type both
passwords into their laptop in order to access the corporate network
while on the road. After the one-time password has been used, it’s no
longer valid.

But hardware tokens are expensive and easy to
lose. The latest idea is to create a software token on a device the
user is already carrying, such as a handheld PC or cellphone. This
means the one-time password would be e-mailed to the user over that
device, eliminating the need to carry around a hardware token.

Ottawa-based
CryptoCard has announced that it plans to release a software token for
BlackBerry handsets from Research In Motion, due out in the next
release of its software, version 6.4, in the next two to three weeks.

The
software token will allow remote users logging into the corporate
network over a virtual private network to use their BlackBerry to
generate a one-time password. The company says that combining the
one-time password with a user’s unique password will make it easier to
positively authenticate themselves to the corporate network. And this
will work within a heterogeneous environment, including Microsoft,
Apple and Linux.

Advertisment

“It’s easy to use, to the point [where] my
grandmother can use it,” said Jason Hart, CEO of CryptoCard. Hart
worked as an ethical hacker at a consulting firm for six years, and
every time he ethically hacked into an organization, he would get in
via a static password.

“Ninety-nine per cent of passwords are
unique to an individual,” he said. “I would search you on Google, find
out your interests and hobbies — very quickly I gain a profile of you
as an individual and the majority of the time that password is linked
to a hobby or family name.” And, 99.9 per cent of the time people will
re-use the same password.

As a result, two-factor authentication
is becoming an important security tool because it makes stolen
credentials useless to hackers. And users don’t have to memorize a
bunch of passwords, which could reduce help-desk costs associated with
resetting forgotten passwords.

There’s another cost incentive: A
hardware token costs more than $65, while the software-based token will
cost less than half that price (though pricing has not been finalized
at this point). And organizations don’t have to pay again if an
employee loses their token, which is the case with hardware tokens.

CryptoCard
is also offering this as a managed authentication service, where users
would subscribe to the service in order to receive one-time passwords
through their BlackBerry.

The company is aiming this technology
at anyone who owns a BlackBerry, though it will likely find early
adopters in the financial services and government sectors.

“I
believe that financial institutions in the U.S. will undoubtedly go
that way,” said Joe Greene, vice-president of IT security research with
Toronto-based IDC Canada. “It’s another layer of security that is
required and will increasingly become required as hackers and others
get more sophisticated.”

And this will likely lead to a
spill-over effect in Canada where, in time, financial services
companies in this country may move to adopt two-factor authentication.

It
is also likely that more vendors will introduce products that will turn
other handheld devices and cellphones into software tokens. The market
at this point in time is fairly small in Canada, said Greene, but over
time two-factor authentication will catch on.

Governments are looking at this technology, as they start to offer more
services online, as well as any vertical dealing with the public on a
regular basis or offering online banking, such as financial
institutions, telcos and hydro companies.

RIM would not comment on the release at this time.


Print this page

Related



Leave a Reply

Your email address will not be published. Required fields are marked *

*