World Exclusive
RSA Mobile
Version 1.0

Two-factor authentication is nothing new and RSA Security have been extolling its virtues for quite some time with the RSA SecurID token. However, some users dislike anything that burdens them, and having to remember even a token that sits on your key ring can be a pain, especially when it’s simply something else to carry. The cost incurred on lost or broken tokens has also been an issue for companies that deploy authentication in this manner. Administrators have had the added task of re-issuing and enrolling user tokens for numerous employees year-in and year-out.

So what’s new? RSA has developed a new platform and solution for two-factor authentication that requires no specially deployed  tokens, but which relies on one 
particular aspect of modern technology that everyone seems to carry as a must-have commodity: the mobile phone. Since there are few business professionals who do not already own or use a mobile phone maybe it was just a matter of time before an alternative way was found to rid the user and their company of the necessity for a separate token. RSA Mobile has done exactly that, utilising something the user already has and integrating it into a security authentication method: two-factor authentication; something you have and something you know.

The methodology is simple. Where a company needs to deploy security to allow users to authenticate on, say, the corporate web site, the user inputs their password and personal ID. The user is then sent a one-time access code via their mobile phone, to complete the authentication process. This negates the requirement for any specially deployed tokens and provides a secure authentication model that exploits an everyday item that users already carry. For those who do not have a mobile phone or who would rather use a different form of one-time access code retrieval, RSA Mobile can be mobilised with a PDA, certain pagers, BlackBerry or any other device that allows SMS messaging or email.

RSA Mobile can be deployed in-house or through a managed service provider. Internal deployment isn’t rocket science for the company with trained staff and the installation is well documented to ensure that it is accomplished with ease. The CD set comprised two installation CDs and the usual licence information, but you also get a 90-day evaluation copy of iPlanet 5.0 Directory Server. This will be useful for any organisation that doesn’t already utilise an LDAP directory.

The documentation is very well written and provides answers to most of the questions you will need to know when planning your installation and deployment. Support and technical information is also available online, but with the PDF documentation you should have no problem getting to grips with this new solution.
The installation requires that an LDAP directory, where your user information will be stored, be in place before configuration prior to installing the authentication software. You can use a different machine for your authentication server and LDAP directory, if, like us, you use the iPlanet software, as you may import your information using the iPlanet administration console. However, RSA Mobile is also compatible with Sun ONE directory server and Microsoft Active Directory.

Having provided the licences and configured your start-up services on the authentication server host, you’ll need to configure host protection and add the web plug-in, but all in all, the steps are logical. Single sign-on can also be used for companies who would otherwise need multiple domain password authentication. Other options for implementation include wireless modem, email, direct teleco connection or through an SMS gateway managed service.

Once you have your new authentication software in place your users will need to be informed of its potential uses and how to instigate a session on the protected site. They’ll need information on securing their one-time passwords and what to do if any problems are encountered. The RSA Mobile User’s Guide provides this information in a four-page document that will enable them to authenticate even when their mobile network coverage is poor or non-existent, allowing them to retrieve a temporary password from the help desk when necessary.

The one-time passwords delivered to a mobile take just seconds to arrive once the user has actually input the password and user ID, but expire within two minutes if not used. You can, however, configure this time if you want to reduce it. This ensures that although the message sent may remain in memory, it cannot be reused or manipulated by anyone else using the mobile phone. Of course, users could store their user ID and passwords on the device which will receive the one-time password. This would be foolhardy, therefore all users should be warned against this practice, which is not an RSA Mobile weakness but one that may be attributed to the end-user.

Supplier RSA Security
Price $6 per user per year
(3-yr subscription 100,000 users;
no SMS charges included)