SMS Token Detail
SMS delivery of one time passcodes is the fastest and easiest way to turn any mobile phone into a token. There's no software to install or hardware to distribute significantly reducing the acquisition and operating costs of a strong authentication solution. OTPs are sent to SMS capable devices using either one of the pre-configured SMS service providers or by attaching an SMS modem/gateway to our SafeNet Authentication Service.
For many organizations a complete solution is not simply a question of delivering an OTP but must also optimize integration with applications, access points and user logon experience. That's why SafeNet Authentication Service supports 4 methods of SMS/OTP authentication.
SMS No Waiting
In this mode a new passcode is delivered by SMS immediately following each successful authenticated logon. The advantage is that a user always has a valid passcode (which cannot be used without their secret PIN) on their phone. This method most closely mimics a traditional logon. This mode is ideal where SMS network latency or lack of coverage are a concern.
SMS No Waiting Plus
This mode differs from the above by sending up to 5 passcodes in each SMS message. This is ideal for users that are frequently in areas with sporadic or unreliable SMS delivery because they are not dependant on the SMS service until all passcodes have been consumed.
This method is ideal for organizations that want delivery of the OTP to occur during the logon process on "On-demand". Only after the user has submitted their valid UserID is the passcode delivered by SMS, allowing the user to submit their OTP and complete the logon process. It has the added benefit of a passcode "time-to-live", not only limiting passcode to a single use but also requiring the passcode to be consumed within a limited period of time. If it not used within the time-to-live period, the passcode automatically expires and cannot be used for authentication.
SMS Single Sign On
This method is a variation of SMS Challenge/Response that lets organizations take advantage of 2-stage SSO authentication supported by leading SSL VPN and on-demand computing solutions from vendors such as Juniper Networks, Fortigate, Cisco Systems , Citrix and others. In this mode users must submit their Logon ID and Active Directory password. If this is validated by Active Directory, SafeNet Authentication Service sends a time-limited passcode to the user who combines this with their PIN and submits this as the second stage of authentication. The result is all of the benefits of SSO with the added security and protection of one-time passwords and the convenience and economy of SMS.
As with all SafeNet Authentication Service tokens, SMS token provisioning can be automated, saving time and improving compliance. SafeNet Authentication Service is easily configured to automatically issue, suspend or revoke tokens based on changes to a user's Active Directory group membership, account status and time/day access restrictions. This means that every time a new user is added to a monitored Active Directory group, SafeNet Authentication Service will provision the user with an SMS token. If the account is suspended in AD, the token is automatically suspended in SafeNet Authentication Service, preventing its use for authentication until the user's account is reactivated. If a user is removed from the monitored group the token is automatically revoked. All of this is accomplished without writing to AD, modifying or extending the schema. As a result, token management becomes a transparent, zero-administration solution.
Audit and Reporting
All user authentication activity is persisted in the SafeNet Authentication Service database, so even after a user has been removed or a token revoked, a complete audit trail is preserved, satisfying privacy and security audit requirements.
Mix and Match
OTP delivery by SMS does not always meet the needs or requirements of the entire user population. With SafeNet Authentication Service this presents no problem because any combination of SMS, hardware and software tokens can be used concurrently in your user population to meet security, budget and compliance requirements including: Contractors and external parties—It is not always practical to issue hardware or software tokens to temporary or occasional users. SafeNet Authentication Service SMS tokens provide an elegant and economical solution because there is nothing to distribute. In addition, SafeNet Authentication Service easily accommodates external users that are not part of your Active Directory, including assignment of individual day and time access controls. Lost or forgotten tokens—Issuing a temporary SMS token to regular users that have lost or forgotten their hardware token continues the protection of OTP authentication while bridging the interval until the hardware token is recovered or replaced.
While most OTP systems are limited to a 6 digit passcode, the weakest form of one time passcode, SafeNet Authentication Service can be configured to generate 8 character passcodes comprised of digits, letters and other characters. Configurability means that you can choose and change the strength of the solution to meet your security and compliance requirements. Where can BsID SMS tokens be used? Just about anywhere you can logon using a static password. Just a few examples: Web Servers and web-based applications on Microsoft IIS or Apache servers. On-demand Computing solutions such as Citrix™ and Propalms™. RADIUS compliant applications and network devices. PAM enabled applications.
SafeNet Authentication Service includes user self-service, enabling users to change or update PINs or request an OTP by SMS.
Gateways and Modems
SafeNet Authentication Service supports a wide range of SMS gateways, letting you select a vendor that best meets your requirements. For even greater economy, an SMS modem loaded with a SIM card obtained from your preferred mobile service provider can be used by SafeNet Authentication Service to transmit OTP messages.