Wednesday 17 February 2010

Two factor authentication tokens on iPhone

I've been playing with the iPhone recently and I've been very impressed with the amount of applications you can get for the phone.

The other day after some prompting from the UK Vasco Technical Account Manager, I installed a Vasco Digipass for the iPhone. (Thanks Dan)

So now I have a demo Digipass on my phone, where I can use it for demonstration purposes. It was fairly straight forward, you need to download the app from the Apple AppStore and tap in a couple of codes to make it work. Obviously I need a Vasco server installed somewhere and install the relevant DPX file on it, so the token can be used.

Off the back of this success, I took the opportunity to install a Celestix HOTPin client on my iPhone as well.

Again, just download the iPhone client software from the Apple AppStore. You will need to ensure that the Celestix HOTPin server is running somewhere. Currently it can run on the Celestix WSA appliance, which negates the need for an additional server hardware. Once the server component is configured and users added to the system, it is ready to go.

I used the HOTPin client on the iPhone to communicate with my Celestix WSA appliance which is hosting the HOTPin server. It downloads the client.dat file onto the iPhone and the client then allows the phone to generate the one time passwords.

The Vasco token required a bit more information to set up and they have the advantage of being able to provide your users with hard tokens, software tokens, mobile phone tokens and OTP via SMS, all through a single server element and manage them from one console.

The Celestix is a more cost effective solution as the HOTPin server software can run on the Celestix WSA appliance and there is no server software cost as such. The only down side is that there is no hard token option, so you may encounter some friction from users as they will not want the HOTPin client installed on their own personal mobile devices, although you have the option for a software client on Windows or using OTP vis SMS.

Although both solutions support receiving the one time password via SMS, what happens if your users are in a mobile telephone blackspot?

- Posted using BlogPress from my iPhone


  1. Andy,
    With HOTPin the user has a choice of SMS or client mode operations. The nice thing about using a soft or hard token is that it does not depend on having a out of band communications channel like SMS, it works fine anywhere. After the softoken is downloaded there is no direct communication between the HOTPin client and the server. However switching between modes requires some operator intervention so a user who expects to be in an area with spotty coverage might prefer a soft token.

    Best regards,
    Hank Cohen
    Sr. Product Manager
    Celestix Netsorks

  2. Hi Hank,

    I should have been clearer in my post, but thanks for the clarification.

    I think people believe SMS OTP delivery is more secure, but ordinarily it means the OTP sits in the mobile SMS inbox for a while, which could be intercepted, and this is even before the worry about mobile telephone coverage.

    I much prefer the soft token to generate OTP on time rather than event, and as you point out is independent of mobile networks.

    Neither of my installed tokens rely on SMS and both as long as my iPhone has battery life.... which any iPhone user will tell you, is another story!

    Kind regards