Tokenless Authentication - The Future?

At Infosecurity 2011, several companies were hyping on that tokenless authentication may be the authentication of the future. One such company is SecurEnvoy, who in 2003 developed their tokenless 2 factor authentication. Essentially, tokenless authentication is the ability for a site to authenticate a user or a transaction that is instigated by a user via an SMS message.

Tokenless authentication has already been implemented in many applications. One example of this implementation is in the Spanish Bank, Santander’s online banking application. When a customer makes a request for a payment to be made to a supplier, a unique code is then sent to the customer’s mobile device. Once the customer enters the code on the website the transaction is then allowed to proceed.

However several security experts at Infosec 2011, pointed out some of the dangers of identity theft with this application. One scenario discussed was what if a user’s work colleague was able to access the user’s system and browse through the history of websites. All it would then need would be for them to gain access to the user’s mobile phone if it was say left in the user’s jacket.

This scenario of course is very theoretical and relies on the colleague being able to gain access to; the sites visited by the user (easy), the user’s id (easy), the user’s password (difficult), get access to the user’s phone (extremely difficult). Another security expert pointed out that this would be no different from a colleague stealing a user’s access token.

However the main difference is that a token can be quickly and easily used whereas a code sent to a mobile phone requires access to the phone and a method to bypass the phone’s security (eg power on password). In addition more people are likely to forget a token compared to their mobile phone.

In the near future, corporations demanding more security of the SMS codes being sent to the smartphone, may be able to take advantage of developments made by software company PinPlus who have developed a system to protect mobile phone logins using a one-time code system based on a matrix pattern authentication. Unfortunately our interview with Jonathan Craymer, managing director of Pinplus, revealed very little in terms of launch date except that it would be available as a free download and at present only windows powered mobiles can take advantage of this technology.