Townsend Looks to Spread 2FA Far and Wide
August 19, 2014 Alex Woodie
Under normal circumstances, user authentication products don’t attract a lot of attention. But thanks to Russian hackers, the Heartbleed vulnerability, and Target’s security breach, millions of people are wondering if their passwords are safe (newsflash: they’re probably not). With these security fears as a backdrop, Townsend Security is looking to accelerate the adoption of its new IBM i two-factor authentication (2FA) software.
Last month, Townsend made two announcements that demonstrate its plans for Alliance Two Factor Authentication, the IBM i-based 2FA software that it introduced in January. The 2FA offering prevents a user from logging onto the IBM i server unless she correctly enters her user name and password and correctly enters a unique PIN code sent to the user’s mobile device via SMS messaging. The offering was developed using technology from TeleSign, and also includes a voice-generated PIN option for the eight remaining people who don’t have smartphones.
First, the Olympia, Washington, company announced that it’s going to be using Alliance Two Factor Authentication with its other IBM i security tools, including its encryption product Alliance AES/400, its managed file transfer product Alliance FTP Manager, and its log collection and conversion utility, Alliance LogAgent. These are powerful administrative tools–particularly the encryption software, which serve as “keys to the kingdom”–and the additional layer of security that 2FA brings will help prevent unauthorized users from gaining access to them.
Second, Townsend announced the creation of a new partner program aimed at helping independent software vendors (ISVs) integrate Townsend’s 2FA solution into their own applications. By utilizing Townsend’s API, third-party IBM i applications can be modified to use Alliance Two Factor Authentication rather than (or in addition to) standard log-in methods that rely on just a user name and password.
“IBM i ISVs are struggling to keep up with the evolving security threat landscape,” says Townsend Security CEO Patrick Townsend in a press release. “As the Target data breach demonstrated, the loss of user logon credentials can lead to catastrophic security breaches. â€¦ The Target breach is a prime example of what can happen without two-factor authentication in place.”
Townsend’s offering is not the first 2FA offering to be used with IBM i servers. The biggest players in the authentication market, companies like EMC‘s RSA Security division and SafeNet, offer 2FA or multi-factor authentication solutions that can be deployed in support of IBM i users, although sometimes with customizations or through other third-party products.
But the biggest downside of these approaches, according to Townsend, is that they typically are hardware-based and require the user to carry around a special random number-generating device. By replacing that special device with something that (almost) every user already has–a smartphone–the hassles and costs of deploying 2FA can be reduced.
“Our new partner program puts easy-to-deploy and affordable security into the hands of any ISV, large or small,” Townsend says. “With no expensive servers to deploy, and backed by the Telesign global network, any ISV can now get user authentication security right. It’s fast, easy, and affordable and you can even embed it right into your business applications.”
IBM i ISVs would do well to consider Townsend’s offer, especially considering the shabby state of user authentication and password management at IBM i shops. In its recent State of IBM i Security report, IBM i security software vendor PowerTech highlighted some of the alarming password trends, including the fact that more than half of the systems PowerTech surveyed had more than 30 user profiles with default passwords. By adopting Townsend’s 2FA, IBM i ISVs can help customers do much better than that.