If you’re like me, every morning at an ungodly hour, you log on to several web sites and access your particulars and start your day. The process of logging on, for me, has all sorts of fault lines running through it, but the most intriguing lately is where I type out the user name and my hands simply forget the password. I know it’s my hands that forget because, at that hour, my brain is simply not willing to try. My brain can’t get past whether or not I want milk for my coffee, at the five o’clock hour; my hands are more in control, and, if they can’t recall a particular password, I have to go on a hunt and search the little places I chose to hide them. Sometimes I can go back in and start all over again, and my hands find the patterns, the rhythm, and miraculously complete the task. Sometimes my hands are just stupid.
However, if you’re like most folks working for a company where data is smartly protected, you have the proverbial ‘token necklace’ which is apparently strangling the corporate matrix. A press release by PhoneFactor a Kansas City tech company quotes a survey and offers their angle on one way to rid the world of those trashy fetishes: "By requiring users to verify identity through their cell phones (something that more than half of survey respondents would prefer over tokens), secure information is virtually impossible to hack and platform adoption is simpler and less expensive to the company." Everyone agrees that the words "virtually impossible to hack" are seldom seen these days because few want to tempt the hands of the hungry hackers.
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
According to visionary, XML grrl, Eve Maler, "It’s one less thing to carry, usually on your person, and does strengthen the authentication. There are various ways to use a phone for additional factors: letting it generate a time-based token (which is what I believe VRSN does), sending an out-of-band SMS message to the user and having them respond or use the PIN gotten thereby in the in-band login process, etc… I’m generally in favor of this trend — because I’m starting to have the "token necklace" problem myself!"
Burton analyst, and Blogger, Mark Diodati reminds us that, "Software OTP generators for PDAs and mobile phones have been available for at least a decade." and "The earliest deployments were unsuccessful." Though like most analysts he sees growth in using the telephony component to ease the frustrations and the wasted time. Oh the wasted time, and I wish some student would send us a model of how much time is now spent globally just logging in, and logging out.
Diodati goes through the recent announcement on Enabling the VeriSign® Identity Protection Authentication Service to Support RSA SecurID® OTP Credentials and in his fine paper titled, "More, More, More," concluding that, "Because VeriSign can bundle SecurID into its managed service, I believe it got the better part of the deal." For cloud applications, Diodati’s choice, "the software token installed on the user’s mobile phone."
And as we suspected, the Burton analyst concludes that more devices "present new challenges for the enterprise … an example of enterprise requirements exceeding current product capabilities."
Never the less, the consumerization of the enterprise rears its head again, only this time it makes a lot of sense to this writer. Seems the more we try to bring telephony and IT together, the more reasons we find to keep them discreet and separate.