A new service, called xFA(TM), from Authentify provides a glimpse of multifactor authentication’s future. Building on the company’s legacy of certificate-based, out-of-band, phone-based user authentication, the company is employing a new, screen-based approach to replacing OTP (one-time passwords) or KBA (knowledge-based authentication) in order to log-on to a secure network.
The innovation is a cryptograph, that looks something like the QR codes that appear on billboards, magazine ads or business cards, which Authentify calls an “A-Code.” These codes are designed to be scanned by smartphones running xFA-enabled mobile apps. For example, a registered employee attempting to log on to a company’s intranet or a commercial bank’s online customer will be prompted to scan the A-code and speak a passphrase in order to receive the digital certificate required to establish a link between the computer and the company’s secure database or Web site.
Click on the video below to see how it works:
Like the one-time-password or code that is provided by a service like RSA’s SecureID or Safenet, the A-code has a short shelf-life and expires within minutes. The addition of voice biometrics to the mix is a major part of identity verification because, without a biometric, the company can never be sure that the individual in possession of the phone is, indeed, the person who is supposed to be logging on to the system.
Authentify is one of the longest-standing providers of “out-of-band” authentication technologies. It has long had the ability to incorporate voice biometrics into the mix but, like its direct rival PhoneFactor (which is now a business unit of Microsoft) and others, it has found that customers and prospects have been satisfied with text-based OTP codes. By marketing xFA, Authentify recognizes that smartphones with cameras are destined to be important building blocks for strong, multi-layered and multifactor authentication. It also signals that its prospects and customers now recognize how they must step up to stronger user authentication in order to support BYOD (bring your own device) and work-anywhere strategies.
According to descriptions in press reports, enrollment in xAD is simple and takes a few minutes. Users download a mobile app from Google Play or, soon, the iTunes Store. Once the app is installed they will be prompted to repeat a passphrase a few times in order to create a voiceprint which is stored by Authentify on behalf of the participating company. When users attempt to log on to a secure Web site, Authentify delivers a unique, ephemeral A-Code that appears on the Web site. Users are prompted to scan the A-Code and thenspeak their passphrase. They are not admitted until the company has confidence that the A-Code and utterance matches what is expected. Then the certificate is issued by Authentify and a secure link is established.
Clearly there is a lot going on, but it is relatively easy for the individual user or customer and it satisfies corporate requirements for secure communications links and strong user authentication. Smartphones are becoming the “something you have” and, given that, your voice equates to “something you are.”
Categories: Articles