Many of us use Two Factor Authentication (2FA) mechanisms to login and provide our identity to important IT systems such as the company’s remote access or VPN, or our own personal bank accounts.

2FA relies on the notion that to establish your identity you need to provide proof of the possession of something unique to you, typically a physical token, and knowledge of something only you should know, i.e. a password or pass-phrase.

The oauth style of One Time Password authenticators utilises this strategy by embedding a unique key or “seed value” within a cryptographic engine, which when combined in some way with a pin number or pass-phrase, generates a unique one time password or OTP. The OTP value is replicated by the system using the same seed and the two values are compared by the identity provider to establish their validity.

SMS tokens however do things differently. In this case, a unique OTP is generated only by the back end identity provider and sent to a registered mobile phone number [to the user]. The user then combines their pass-phrase together with the SMS OTP code to prove that they have the token and know their pass-phrase.

Both of these systems rely on the physical token staying in the possession of the user. In either case the loss of the token needs to be reported as soon as possible to the security manager who will revoke the use of the token.

The weakness of the Phone and SMS as a token stems from the fact that it relies on the SIM card and its assigned telephone number. The phone number can easily be ported to another SIM and provider, and because the same information, i.e. the phone number, may be used as an alternative communication channel which may be used to reset passwords or re-register an alternative device; an attacker can take possession of the token without actually stealing the physical device.

This relatively simple attack was adequately demonstrated on air by the BBC Radio 4 program You and Yours earlier this month. Listen here:

BBC Radio 4 3/3/16 @ 12:15

  • I’ve nothing but praise for Robert and the team and despite their long trading history have seen how they have maintained a strong, exciting and invigorating culture of success within their business which, for me, having had 20 years in application development is often more important than pure technical capability as it’s this consultative and empathetic approach which extracts the requirements from non-IT staff to enable Ecommnet to design and deliver a stronger better product.

    — Jason R Wilkinson, Head of Business Transformation, Westfield Health
  • During our 2FA POC and subsequent move to live system, Ecommnet provided a very attentive and responsive support service whenever we encountered problems.  Using the team’s web support portal to raise support calls and requests for changes results in a fast response and provision of support ranging from phone support, through remote console access to site visits as required. Due to the implementation of the 2FA system we now have secure remote access to internal resources while ensuring security compliance.

    — Allen Haigherty, Technical Support Officer, Kirklees Council
  • With the team’s help I was able to get the OTP authentication set up in time for our PCI audit. I just want to say I was very impressed with the level of service and the responsiveness, and the fact they were able to help us out under incredibly tight timescales speaks volumes.

    — Robin Whitehead, Technical Director, Iridium Corporation
  • Robert and the team were excellent, they qualified our environment quickly, were very strong on integrating security and mobile environments and the pilot went in easily. It was nice to deal with a company that was more than just a reseller, they truly believed in the solution and it was a great win for us to find their set of skills just down the road.

    — Steve Watchman, IT Executive, Newcastle Building Society
  • Ecommnet was able to create and deliver an all-new website that has in a short space of time received many compliments and generated enquiries. The team is accessible, helpful and responsive and have removed the ‘pain’ of IT. We were so pleased that they’re now entrusted to look after all our IT infrastructure.

    — Nick Bailey, Director, Elan PR
  • After 6 weeks of implementation issues with a competitive product, Ecommnet were a breath of fresh air, helping us out of a very tricky situation with a great solution in just two days. What a fantastic team; extremely helpful, technically competent and able to deliver.

    — John Clayton, Network Consultant, Kirklees Council
  • Ecommnet has proved an invaluable partner, especially when developing technology solutions to loosely defined business ideas. They bring a diverse range of ideas from their work to produce innovative approaches to solving problems. They will back their ingenuity by sharing in the risk of developing solutions, and having proved a concept will ensure the same team work with you to create a fully fledged product.

    — Michael Bennett, Director, Charles Stanley & Co Ltd