TWO-FACTOR AUTHENTICATION

GOES MOBILE
First Edition September 2012 Whilst information, advice or comment is believed to be correct at
Goode Intelligence time of publication, the publisher cannot accept any responsibility
All Rights Reserved for its completeness or accuracy. Accordingly, the publisher,
author, or distributor shall not be liable to any person or entity
Published by: with respect to any loss or damage caused or alleged to be caused
Goode Intelligence directly or indirectly by what is contained in or left out of this
26 Dover Street publication.
London
W1S 4LY All rights reserved. No part of this publication may be reproduced,
United Kingdom stored in a retrieval system or transmitted in any form or by any
Tel: +44.20.33564886 means, electrical, mechanical, photocopying and recording without
Fax: +44.20.33564886 the written permission of Goode Intelligence.

www.goodeintelligence.com
info@goodeintelligence.com
CONTENTS

Market Analysis: The mobile phone as ultimate tokenless authenticator ............................... 2

Understanding the basics: What is Tokenless Two-Factor Authentication (2FA)? ................. 3

What is Two-factor Authentication? ................................................................................... 3

Key benefit of 2FA ............................................................................................................. 3

What is Tokenless 2FA? .................................................................................................... 3

Its all about user choice! Self-management the key to 2FA lifecycle management ............ 4

Benefits of user choice and self-management ................................................................... 4

More mobile phones than people every phone can support tokenless 2FA ........................ 5

Is SMS a reliable method for OTP delivery? ...................................................................... 5

The importance of innovation in tokenless authentication ..................................................... 6

Innovate or fail! .................................................................................................................. 6

Innovation Case Study SecurEnvoy ............................................................................... 6

The changing endpoint needs a rethink in 2FA technology ................................................... 7

Customer case study Invensys........................................................................................... 8

Invensys 2FA Project......................................................................................................... 8

What Goode Intelligence research tells us about mobile 2FA.............................................. 10

Mobile 2FA Adoption ....................................................................................................... 10

Tokenless Mobile 2FA Market Activity: Increasing sales erode hardware token market ... 10

Summary ............................................................................................................................ 11

Related research / about Goode Intelligence ...................................................................... 12

Goode Intelligence 2012 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

The mobile phone has become the de-facto device for business Goode
and leisure and is in the hands of the majority of the worlds Intelligence
population. Mobile phones have become the dominant computing White Paper
platform for every part of our daily lives including communication
(including business email), social networking, gaming, media Goode Intelligences
consumption, navigation and even payment with the advent of white papers offer
Near Field Communications (NFC) technology. The mobile phone analyst insight from
is the ultimate disruptive technology and authentication is not research extracted
from primary
immune from its influence.
sources including
surveys, analyst
MARKET ANALYSIS: THE MOBILE PHONE AS reports, interviews
ULTIMATE TOKENLESS AUTHENTICATOR and conferences.

This white paper from mobile security research and consultancy

specialist, Goode Intelligence (GI) explores how mobile phones are
transforming authentication and eroding the position of hardware token
technologies as the dominant form in Two-factor authentication (2FA). GI Research
GI first started its research into mobile phone-based authentication Facts
(mobile 2FA) products and solutions in the summer of 2009 and has
discovered a number of key facts: 35% of
Mobile (tokenless) 2FA is considerably cheaper than hardware- organisations have
based 2FA solutions including hardware tokens and smart cards deployed mobile
Mobile 2FA is easy to deploy and manage with provisioning phone-based
1
taking a fraction of the time that hardware-based 2FA solutions authentication
can take
Mobile 2FA is ubiquitous in that it is available for all mobile
Mobile phone-
phones, not just smart phones based
In an age where users are bringing in their own mobile devices authentication has
into the workplace and using consumer cloud-based services increased market-
for business purposes, end-user choice is vital. Tokenless 2FA share from 5% in
solutions must offer user choice through self-management 2009 to over 20%
2
functionality by the end of 2011
GIs research has uncovered examples of excellent technology
innovation from vendors involved in mobile 2FA. Choosing a
By the end of 2014,
technology vendor with innovation as a primary pillar is key for
64 percent of 2FA
end-users when making strategic buying decisions for sales will be
authentication mobile-based
3

As mobile 2FA is cost-effective, easy to deploy and available to

billions of mobile phone users around the world, it is quickly
becoming the de-facto technology to replace weak userid and
password authentication solutions

1
Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:
http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition
2
Goode Intelligence primary research
3
Taken from The mobile phone as an authentication device 2010-2014. Published by Goode Intelligence, November 2009:
http://www.goodeintelligence.com/report-store/view/the-mobile-phone-as-an-authentication-device

Goode Intelligence 2012 Page |2 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

UNDERSTANDING THE BASICS: WHAT IS TOKENLESS TWO-

FACTOR AUTHENTICATION (2FA)?

What is Two-factor Authentication?

Two-factor authentication (2FA) is an information security process in
which two means of identification are combined to increase the
probability that an entity, commonly a computer user, is the valid
holder of that identity. 2FA requires the use of two reliable
GI Definitions
authentication factors:
Something the user knows, e.g. a password or a PIN
Something the user owns, e.g. a mobile phone, a hardware 2FA: Two-factor
token or a smart card Authentication.
Something the user
In many 2FA solutions, possession of the second factor, something knows and something
that the user owns, is demonstrated by knowledge of a one-time the user owns or has
password (OTP). This OTP is either generated by the second factor in
the possession of the user, e.g. a mobile phone, or by a trusted server
that is then delivered to the second factor. This delivery can include Tokenless 2FA:
SMS text messages. 2FA solutions that do
not rely on proprietary
hardware technology
Key benefit of 2FA
Reduces the possibility of an authentication credential being stolen
and hacked. Passwords are static codes that are prone to theft, e.g. OTP: A one-time
through a phishing, keylogging, or replay attacks. By utilising OTPs, a password is a
2FA solution can avoid many of the weaknesses associated with password or code that
static password solutions. is generated for only
one login session
What is Tokenless 2FA?
Hardware tokens generating OTPs have been a common method for
Credential: Identity
2FA. For many years enterprise users have been carrying around
attestation issued by
hardware tokens for enterprise 2FA. But have hardware tokens had an authority to
their day? Has a combination of high purchase and distribution costs, validate users at
a move away from centralised support to self-service and security logon
concerns created by high-profile hacks meant that alternative 2FA
solutions are beginning to erode this once dominant technology?
Replay attack:
A credible alternative to hardware tokens are tokenless solutions. Where a password is
Tokenless solutions do not rely on proprietary hardware but instead intercepted or stolen
make use of existing hardware that is already in the hands of users. and then replayed by
They perform all of the security functions that hardware tokens offer, an imposter user to
and in some cases enhance security, but are not reliant on expensive, get unauthorised
single-use, hardware technology. The power of tokenless is especially access to a computer
or network
strong when the device being utilised is a mobile phone.

Goode Intelligence 2012 Page |3 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

ITS ALL ABOUT USER CHOICE! SELF-MANAGEMENT THE

KEY TO 2FA LIFECYCLE MANAGEMENT

Choice is a frequently used word in IT at the moment.

The choice for an employee to bring in their own personal device to the workplace and use it
for business purposes; where device can mean smart phone, tablet computer, netbook,
laptop or MacBook.

The choice to share information with friends and colleagues using agile cloud-based
services such as Dropbox and Box.

The choice to communicate with friends and colleagues using social network tools such as
Facebook, Twitter and LinkedIn.

Is choice relevant to information security and in particular is it relevant to 2FA? On the

surface you would think not as it goes against some of the tenants of information security;
strict information security policy drive technology controls that are deployed by central IT and
information security functions. This does not really sit well with user choice; or does it?

Will bring your device (BYOD) turn into bring your own token (BYOT)? Over two-thirds
of organisations now support BYOD and many are using tools such as Mobile Device
4
Management (MDM) to enforce security policy. These employee-owned devices are also being
utilised as authenticators; soft tokens running as mobile apps Bring your own token (BYOT)

Are we able to put the user in control whilst at the same time ensuring that information
security policy is met? GI firmly believes that the two can coexist with each other for 2FA
solutions by:

1. Choosing an authentication technology partner that puts the user in control but also
allows authentication security policy to be met
2. Allows administrators to create the technology framework to support choice
3. Allows the end user to choose the authentication device of choice
4. Supports any mobile phone, not just smart phones that can run mobile apps
5. Allows the user to swap seamlessly between mobile phones without incurring
additional license cost

Benefits of user choice and self -management

Modern enterprise IT is all about providing users with choice and information security should
not be immune to this trend. It is important that authentication solutions provide the user with
choice; putting the user in control of what authentication device (mobile phone) they want to
choose. A core strength of todays authentication solution should be the offer of self-
management; empowering the user to manage their own authentication service, thus
removing the onus on administrators of authentication lifecycle management.
4
Taken from mSecurity Survey 2011 Report premium edition, published by Goode intelligence April 2012:
http://www.goodeintelligence.com/report-store/view/gi-msecurity-2011-survey-report-premium-edition

Goode Intelligence 2012 Page |4 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

MORE MOBILE PHONES THAN PEOPLE EVERY PHONE CAN

SUPPORT TOKENLESS 2FA

It is forecast that shortly there will be more mobile devices than people on this planet
(forecast for just over seven billion people in 2012)5. Ericsson, the mobile network
technology vendor, forecasts that by 2017 there will be nine billion mobile phone
subscriptions.6

Forecasts for 2011 indicated that there were around six billion mobile phone subscribers
around the world with predictions that this figure would rise by 500 million, to a total of 6.5
billion, by the close of 2012.7

6.5 billion mobile

phone subscribers
by the end of 2012
Every one of these mobile devices has the capability to support tokenless 2FA, either
through the receipt of SMS text messages containing OTPs or by utilising a mobile app that
generates the OTP on the device itself. Two-factor authentication is within easy reach of the
majority of the worlds population without the need to issue and manage any additional
hardware that is over six billion potential authenticators. That means tokenless 2FA for any
mobile device, anytime from anywhere in the world.

Is SMS a reliable method for OTP delivery?

There is occasionally an issue with reliability of OTP delivery with SMS text message-based
2FA solutions. Mobile network operators (MNOs) cannot guarantee SMS text message
delivery within an acceptable timeframe for 100 percent of all SMS messages delivered.
There are times when the mobile network is overloaded, e.g. peak times at events and
natural disasters, and other times when network coverage is either poor or non-existent, e.g.
an IT engineer in a data centre that may be underground or protected from radio.

Late delivery of an OTP contained in an SMS text message can be problematic for a time-
critical login that can mean no access to critical enterprise resources. To overcome this
tokenless 2FA vendor, SecurEnvoy, has developed a patented pre-loading feature where

5
United Nations world population figures
6
Ericsson: http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers Please note that this forecast is
for subscriptions. One mobile phone subscriber can have multiple mobile phone subscriptions.
7
http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers

Goode Intelligence 2012 Page |5 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

the problem of poor mobile phone network coverage is removed by the ability to pre-load
OTPs.

Pre-loaded one time codes are an innovation from SecurEnvoy that gets over the
problem of guaranteeing the receipt of SMS text messages. There are situations, e.g.
peak-times for SMS traffic or when a mobile phone user is outside of network
coverage, when an SMS text message cannot be delivered to a user within a timely
manner. This can be critical if you are using SMS to deliver an OTP for remote
network access. By pre-loading one time authentication codes each time (three codes
are sent with each SMS text message) a user initiates a logon session this issue is
resolved

THE IMPORTANCE OF INNOVATION IN TOKENLESS

AUTHENTICATION

Innovate or fail!
There are many examples in the history of information technology where market-dominant
technology vendors have seen a steep-decline in fortunes as a result of a failure to keep
innovating. The IT and telecommunications graveyard is full of organisations that, instead of
keeping innovation central to their strategy, have relied on technology that may have been
disruptive and innovative in a previous IT age. The current problems that technology vendors
such as Research In Motion (RIM) and Nokia are facing testify that companies must strive to
innovate and successfully get that innovation to market.

The mantra of innovate or fail is as true in the world of information security and
authentication as it is with other areas of IT and telecommunications. One authentication
vendor that views innovation as key to its success is SecurEnvoy.

Innovation Case Study SecurEnvoy

Tokenless mobile phone-based authentication has been around as a concept since the late
1990s and as a product since the early part of the current century. SecurEnvoy has been at
the vanguard of innovation (see figure 1 for a timeline of SecurEnvoys innovation) in
tokenless authentication since 2001 when the first pre-loaded one time code was sent to a
mobile phone.

Goode Intelligence applauds SecurEnvoys track record of innovation in tokenless

authentication from its early beginnings in 2001. Its record for innovation includes using
mobile 2FA for password resets (2006), tokenless cloud-based authentication with
SecurCloud (2009) and continues into the present with supporting the use of its tokenless
authentication for enterprise-grade disk encryption solutions.

Future product releases will build on this strong track record in innovation and will include
solutions to use one time codes to session lock the voice network to the browsers current
network connection for phone call-based authentication.

Goode Intelligence 2012 Page |6 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

Figure 1: SecurEnvoy Timeline of tokenless innovation

Source: Goode Intelligence, July 2012 (data from SecurEnvoy)

THE CHANGING ENDPOINT NEEDS A RETHINK IN 2FA

TECHNOLOGY

We are witnessing diverse and fundamental changes in how enterprise IT is accessed and
consumed. A combination of smarter connected consumer devices and cloud-based
enterprise services is leading to a revolution in how employees access enterprise IT
resources.

Company-issued laptop computers have been the de-facto endpoint computer device for
accessing enterprise IT resources when away from the office. Laptop computers are
equipped with serial and USB ports that allow devices, such as smart card readers and USB
memory sticks, to be easily attached and used. Smart cards and USB-based authenticators
have been methods in which 2FA has been supported. However, as falling laptop sales
testify, the laptop is losing its grip on being the prime enterprise mobile computing device.

Goode Intelligence 2012 Page |7 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

In recent years the trend has been to complement, and even replace, enterprise laptop use
with a new breed of smart connected devices. Commonly these new smart mobile devices
(SMDs) are smart phones and tablet computers running mobile operating systems.

Additionally the enterprise is been extended out to a new range of connected intelligent
consumer devices that offer similar levels of functionality as smart phones and tablet
computers. It is feasible that access to enterprise resources could well be pushed out to
Smart TVs, games consoles and other touch-screen consumer devices.

The changing nature of enterprise IT requires a good long-term strategy and

involves a good degree of future-proofing and authentication is certainly not
immune from this

These are consumer devices and, in the main, do not offer the same levels of local
connectivity that a laptop computer does. If an organisation has adopted hardware-based a
2FA solution that requires either a physical connection, certificate or pre-installed software
on an enterprise owned device than this investment would be redundant in this new age.

As a result of this change, organisations should embrace 2FA technology solutions that have
a zero footprint at the point of authentication; thus accommodating both existing connection
points on any present or future device. This approach is more in-tune with the changing
nature of enterprise IT. Goode Intelligence believes that tokenless mobile 2FA currently
offers the best solution to provide strong authentication for the new breed of remote
enterprise workers.

CUSTOMER CASE STUDY INVENSYS

Invensys is a UK-based FTSE100 engineering conglomerate with revenue of nearly 2.5

billion (2011) employing more than 20,000 staff around the world. The company is
comprised of three companies; Invensys Rail, Invensys Controls, Invensys Operations
Management.

Historically, each of three businesses was run independently, including its IT infrastructure
services. To streamline its operation, Invensys introduced a global IT infrastructure division
with a remit of developing shared IT services across all three of the business units. This
included remote access services with a vision of creating a single solution to support
employees accessing Invensys IT resources remotely. Naturally, user authentication is a
vital part of this shared infrastructure.

Invensys 2FA Project

Back in 2009, Invensys Rail was using a hardware token solution to provide user
authentication for its remote access service. The hardware 2FA solution was not without its

Goode Intelligence 2012 Page |8 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

problems; despite being run as an outsourced service Invensys Rail found it to be time
consuming and costly to operate. One key issue was availability of the hardware token when
end-users really needed it. Users were often without their tokens when they were required to
connect to the Invensys Rail IT network remotely.

A decision was made to replace the hardware token solution with the key project drivers
being:
1. To reduce the cost of the current hardware token 2FA solution; calculated as $8 per
person per month for hardware token.
2. To reduce the time it took to deliver 2FA credentials to users; calculated as taking
around ten days.

The task was given to David van Rooyen, principal solutions architect, responsible for
Invensys telecommunication based infrastructure strategy. After developing the
requirements and evaluating the technology available, Van Rooyen decided to deploy a
mobile phone-based 2FA solution provided by SecurEnvoy - SecurAccess. Van Rooyen
outlined how the SecurEnvoy solution fulfilled Invensys requirements for an agile cost
effective 2FA solution; Provisioning a physical token for one of our users takes around ten
days compared with five minutes provisioning a soft token, so the man hours are vastly
reduced as well as the costs of shipping them out. Ive completed a full business analysis
and found that $8 per person per month is what it was costing for a physical token versus $2
per person per month for a soft token. When you replicate that across 15-20,000 users, the
savings are in the millions.

Table 1: Key benefits: Hardware token vs. Tokenless - Cost reduction and Time saving

Hardware Token Tokenless

Cost Reduction ($) $8.00 per user per month $2.00 per user per month
Time Saving (Provisioning 10 days 5 minutes
single token)

Goode Intelligence 2012 Page |9 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

WHAT GOODE INTELLIGENCE RESEARCH TELLS US ABOUT

MOBILE 2FA

Goode Intelligence is a leading authority in mobile security and has been covering the
mobile phone-based authentication market since 2009 when it first published its report The
mobile phone as an authentication device. Since that report was published GI has noticed
the steady rise in the adoption of mobile phone-based authentication solutions.

Mobile 2FA Adoption

In Goode Intelligences annual mobile security survey (GI mSecurity survey report) there has
been a steady rise in the adoption of mobile phone Two-factor (2FA ) authentication
solutions from zero adoption in 2009, rising to 22 percent in 2010 and standing out 35
percent in the last survey from late 2011 (with a further six percent planning to deploy).

Figure 2: The percentage of organisations that have adopted the mobile phone as an
authentication device 2009-2011

35%
22%
0%

2009
2010
2011

Tokenless Mobile 2FA Market Activity: Increasing sales erode

hardware token market
In terms of market activity, Goode Intelligences market analysis (started in the summer of
2009) suggests a steady annual increase in the sales of mobile 2FA solutions.

In 2010, data harvested from end-users and technology vendors, suggested that around five
percent of global 2FA sales were mobile-based. A follow-up study in 2012 discovered that
this figure was now over 20 percent. A forecast, made by GI in 2009, suggested that by the
end of 2014, 64 percent of 2FA sales will be mobile.8

By 2012, 64 percent of total 2FA worldwide sales will be mobile-based

8
Taken from The mobile phone as an authentication device 2010-2014. Published by Goode Intelligence, November 2009

Goode Intelligence 2012 P a g e | 10 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

SUMMARY

Mobile phones offer organisations that are evaluating their end-user authentication strategy
a realistic alternative to both single-factor, userid/password, and hardware-based (single-
user devices) two-factor authentication solutions.

This white paper has explored how mobile 2FA is meeting the needs of modern IT functions
that require agile, cost-effective and easy to deploy/manage two-factor authentication
solutions.

The market for mobile 2FA will continue to grow and it is on course to become the dominant
force in two-factor authentication.

End-users who are reviewing their authentication strategy must seriously consider mobile
2FA as a viable solution.

End-users should ask potential authentication partners these important questions when
evaluating a suitable 2FA technology solution:

Does the solution offer an end-user choice in what mobile phone they can use for
2FA purposes?
Can the end-user make these choices through a self-management function?
Does the mobile 2FA solution work on any phone, in any region and any time?
If the solution is SMS-based, how is the problem of delayed SMS delivery and poor
network coverage resolved?
How easy is it to re-provision an end-user when that user changes their mobile
phone and is there any additional cost involved in this process?
What track record does the potential technology partner have for innovation and will
innovation continue to be important for future product releases?
Should allow 2FA on any device allowing zero footprint at the point of login

Goode Intelligence 2012 P a g e | 11 www.goodeintelligence.com

Two-Factor Authentication Goes Mobile

RELATED RESEARCH / ABOUT GOODE INTELLIGENCE

The mobile phone as an authentication device 2010-2014 (Published November 2009)

Mobile Phone Biometric Security Analysis and Forecasts 2011-2015 (Published June 2011)

GI mSecurity 2011 Survey Report Premium Edition (Published April 2012)

mBiometric Series Insight Report: Mobile Fingerprint Biometrics (Planned publication

September 2012)

Mobile Financial Services (MFS) Series - Insight Report: Mobile Banking Security (Planned
publication October 2012)

Smart Mobile Identity the next wave of mobile identity and authentication solutions
(Planned publication December 2012)

For more information on this or any other research please visit www.goodeintelligence.com.

Since being founded by Alan Goode in 2009, Goode Intelligence has built up a strong
reputation for providing quality research and consultancy services in mobile security. This
document is the copyright of Goode Intelligence and may not be reproduced, distributed,
archived, or transmitted in any form or by any means without prior written consent by Goode
Intelligence.

Goode Intelligence 2012 P a g e | 12 www.goodeintelligence.com