Using mobiles for secure login – part 1

Posted on December 15, 2012


Back when I was an architect for Vodafone Group we worked on a system that would use the mobile to create a second factor for authenticating a login.  In case your wondering what that means,  it like this.

when you give your username and password or your email and password you are providing a single factor,   just the one thing that is “secret” to you.
Now when you login to a more secure system they like you to give a second factor,  so for example a bank may well ask you to also provide a pin code or a second word for you to remember.  This is a second factor.  So a thief has to know two separate things,  making it much harder to break the security. But not impossible of course.
Anyway it would really good if you could use a person’s mobile phone in the security loop so that you have to have the phone to login in.  This is a lot stronger security, because you have to be in possession of the device,  and enter a code on the phone. So now I have two secrets and the user has to be in possession of the previously specified device.
There is a security company called RSA that provide this with a dedicated device.  the device has a number on the front,  this 6 digit number changes every minute.  thus when you use this token to login you can prove you have the device, the token, in your possession by giving the number that is currently on it.  A server at the backend knows which number will be on the token at any given time.  We used these at vodafone and it is a very good service,  but expensive.  the tokens cost, at the time they were c. £50, and then they only last 2 years before they run out of numbers, and/or people loose them.  So you need to be able to manage the devices, have spare, etc etc.  All add up to a cost of ownership that is quite high.
So we decided that we could use SMS (I was the architect for the SMS API platform at the time) and the scheme was quite simple, yet effective.
The user would register their MSISDN (telco speak for mobile phone number) with the system.  when the user has entered their password (successful or not, tell you why in a mo.) the system would send an SMS to the user’s phone with a code,  the user enters the code into the web page, and add to the end of it their own 4 digit PIN.
The code was a single use code that would only last for a defined period of time.
Now if the user enters the code correctly we know they have the mobile phone with that MSISDN with them, they know to enter the code, and to add their secret PIN.  Now we have 3 factors to secure the login with,  the username/secret password, possession of the device, and secret PIN code.
Yes there is a cost to the SMS of about £0.02 or tuppence if you prefer, and that does add up,  however there is no token to be lost and or regularly replaced.  The user can self serve in changing the mobile phone number to be used (or not if you need more security).
I still think this idea has legs.
Could use an app these days I guess and have the app connect back to the server to pick up the code,  and of course it would have to declare itself so that the back-end know it’s the correct phone/app combination.  Would still work though.
In the next part we’ll look at a couple of other mobile login systems.
Posted in: mobile