Financial institutions face a daunting challenge. On the one hand, they're fat targets for the criminals who send out huge numbers of phishing email messages. On the other hand, they need to maintain a credible online presence. My local bank, Fifth Third Bank, (and yes, that's really the name!) has a solution: For some types of transactions, the bank's website displays a code on screen, then a separate process calls the phone number associated with your account. You enter the code on the phone as an additional authenticator. This process is a simple, elegant way to add a second authentication factor to the traditional username and password credentials we've all gotten used to.
My bank's systems was the first live example of phone-based authorization I'd run into. I'm not sure what system my bank uses, but a company called Positive Networks has introduced a program called PhoneFactor that lets you add telephone-based authentication to a broad variety of applications—including Outlook Web Access (OWA). I had an interesting telephone conversation with Steve Dispensa, Positive Networks' CTO, and Evan Conway, the company's executive vice president of communications. Here's what I found out.
First, it's no surprise that PhoneFactor supports OWA. "OWA is the number one app that we use PhoneFactor with," said Dispensa. "The predominant email infrastructure that we see in corporations is Exchange." The PhoneFactor agent for OWA is an Internet Server API (ISAPI) extension, so it works with both Exchange Server 2003 and Exchange Server 2007 as well as Small Business Server 2003.
You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
If the credentials are valid, the PhoneFactor ISAPI extension makes a remote procedure call (RPC) to the PhoneFactor agent, which in turn makes a web services request to Positive Networks' servers. The company's servers then place a call to you; you need to respond by pressing # on the phone's keypad to complete authentication. The results of the second authentication challenge are returned to the ISAPI extension, which then either allows or denies access to OWA. This procedure gives you a simple version of two-factor authentication: the first factor is the username and password, the second is the phone-based authentication. To use this functionality, you must register user phone numbers through the PhoneFactor agent. In addition to OWA, PhoneFactor has extensions that work with Terminal Services and other applications.
PhoneFactor itself is free to download and use. How does Positive Networks make a profit? Simple: They sell more advanced versions of the product, which include failover, load balancing, support for branding and customization, and the ability to make users enter a PIN on their phone instead of pressing a single key to answer the challenge. These premium modules add full Active Directory (AD) integration and a better interface for provisioning user phone numbers. Positive Networks has some interesting plans in their roadmap, particularly the ability to automatically enroll users in PhoneFactor when their accounts are created in AD.
If you don't already have two-factor authentication—and the sad fact is that most organizations don't—this product could be a cost-effective way for you to add it, with no tokens or extra hardware required. If you already have two-factor authentication, PhoneFactor could still be a reasonable extension to your authentication model.