Townsend Taps Authy To Strengthen 2FA on IBM i
February 14, 2018 Alex Woodie
Townsend Security adopted a new smartphone app called Authy to deliver one-time authentication codes to users in the latest release of its two-factor authentication (2FA) solution for IBM i. The new Authy solution replaces the text messaging-based approach that it previously used, which soon will likely be no longer compliant with PCI regulations.
2FA solutions are the emerging standard for authentication in the enterprise, following the long downward spiral in the effectiveness and efficiency of using passwords to confirm identity. Nearly everybody carries a smartphone these days, and enterprises have tried multiple ways to incorporate that fact into their authentication schemes.
One of the first 2FA techniques involved the use of Short Message Service (SMS) codes. When a user needed to identify herself to gain entry into a secured system, she could request a code be texted to her smartphone. Townsend Security‘s 2FA solution for IBM i, called Alliance Two Factor Authentication, used the SMS service from its partner Twilio to send one-time codes to users via text. Townsend’s solution also supported a voice-based code delivery service too.
While the SMS form of 2FA is still widely used by banks and other consumer-facing firms, a change in the Payment Card Industry (PCI) Data Security Standard (DSS) will soon make text-based 2FA an outdated technique, according to Patrick Townsend, CEO and founder of the Olympia, Washington, security company.
The changes are being made to eliminate a potential leak of authentication information in the traditional way that 2FA has been implemented up to this point, Townsend says. While the changes are not yet officially part of the PCI DSS, guidance from the PCI group indicates the changes are likely to become a requirement soon.
“The PCI guidance correctly points out that most implementations of 2FA are actually ‘two step authentication,'” Townsend tells IT Jungle. “That is, you enter a user ID and password first, then if that is correct, you enter a numeric 2FA PIN code. This is how Google email works, as an example.
“The PCI guidance correctly points out that two-step authentication leaks important security information,” he continues. “For example, an attacker would know that the user ID and password are correct before entering the 2FA PIN code. Since we humans are addicted to using the same user IDs and passwords on many sites, this could lead to breaches on other sites and web services.”
Under the new PCI guidance, users must enter a user ID and password (something you know) and a 2FA PIN code (something you have from your mobile phone) at the same time, Townsend continues. “If either or both of them are invalid, the application must indicate an authentication failure, but not tell the user which is invalid. This provides a more secure authentication process.”
The new release of Alliance Two Factor Authentication utilizes the Authy app to generate time-based one time passwords (TOTP). Because the Authy app and Alliance Two Factor Authentication are synched, if the TOTP entered by the users’ IBM i sign-on screen is correct, they’ll be granted access. If it’s incorrect, they’ll be denied access. However, the user (ostensibly a Syrian super-hacker with a DSL line and mad IBM i hacking skills) won’t know which set of credentials was bad – the user ID, the IBM i password, or the TOTP.
One of the side benefits of using Authy (which is owned by Twilio) is that it works even when the smartphone has no Internet connection. Authy stores a number of pre-generated TOTPs that will work even when there’s no network connection between the smartphone and the Authy service.
Townsend says the new Authy-based approach will be a boon to IBM i users who want to implement strong authentication but leave behind the cost and complexity that hardware-based token solutions have traditionally entailed.
“The Authy service is secure, extremely affordable, easy to administer, and highly performant,” Townsend says. “IBM i customers can install Alliance Two Factor Authentication in a few minutes, provision an Authy account on their websites, and be using two factor authentication very quickly. It’s a fast path to PCI compliance and better security.”
Townsend will continue to support SMS text delivery of one time codes, but the new Authy facility is the default for new installations, the company says. Customers on existing maintenance contracts can upgrade to the new version of Alliance Two Factor Authentication at no cost.