PhoneFactor, an authentication system that uses mobile phones as a second factor for improved security, is now available as an app for Apple's iPhone and iPad.
When users log in to an enterprise application or perform an online transaction on a PC, PhoneFactor requires them to respond to a prompt sent to their mobile phone. The system has already been available with voice calls or text messages for the prompt, and now it can be used with a native app on the phone. The version for iOS 4 and iOS 5 is available now, and an Android version is coming soon, according to the company.
PhoneFactor is designed to take the place of a traditional two-factor authentication system, such as the SecurID hardware tokens sold by RSA, which display one-time passwords for users to enter on the PC. Because people can use their cell phones instead of a dedicated device, PhoneFactor is less expensive and easier to deploy and manage, according to Sarah Fender, PhoneFactor's vice president of marketing and product management. A PhoneFactor software license typically costs enterprises between US$10 and $25 per user, per year, she said. The iOS app to use with it is free.
As the company demonstrated in a video, when a user enters a password to make an online transaction on a PC, the PhoneFactor app causes a notification box to pop up on the person's iPhone or iPad. The person must then tap on an authentication button in that box to complete the log-in process.
The process makes at least two factors necessary to authenticate a user: The user name and password requested on the PC, and the user's phone with the working app. An administrator can set up one more layer of security by making the user type a PIN (personal identification number) into the notification box before being able to press the authentication button.
If someone other than the authorized user tries to complete a login on the PC, the iOS app can notify the legitimate user and the IT department. Then actions can be taken to secure the user's account.
While employers can use PhoneFactor to help secure access to applications and resources such as VPNs and Microsoft Exchange accounts, merchants can use it to authenticate banking and other transactions online, Fender said. A consumer who downloads the new iOS app for one purpose can use the same app for other needs. IT administrators determine the settings for how it works in each case.
PhoneFactor says its system can work with any enterprise or Web application, including apps on the iPhone or iPad where the PhoneFactor app resides. The notification would pop up on the phone when the user tried to log in on the other app, Fender said.
The system can synchronize with Active Directory and LDAP servers to ease enrollment and user management. It can also conduct audits and send reports about activity on each user's account.