I already spoke about strong authentication on this blog. To resume, strong authentication is achieved by mixing at least two different types of authentication methods from the following list:
- Something you know (a password or a PIN code)
- Something you have (a key, a token)
- Something you are (your fingerprint, your retina, your hand, voice, …)
Strong authentication is also called multi-factor authentication. There are commercial products like the RSA SecurID but there are also solution less expensive, based on open code and very affordable hardware like the Yubikey (example: Strong authentication on Linux).
A token is a piece of hardware which generates an OTP (“One Time Password“). To log into a system, you need a login, the OTP generated by your token (and sometimes a PIN code). RSA provides a lot of hardware tokens.
The OTP is valid during a small period of time (like one minute). That’s why time synchronization is mandatory between the tokens and the authentication device.
Even if the tokens are small enough to be easily carried (in a pocket, on a keyring), they remains an extra piece of hardware to always bring with you! Why not use another device that we always carry? Like a mobile phone! Modern mobile phones have enough resources (CPU, memory), have Internet connectivity and are synchronized via NTP.
For a long time, a Java RSA SecurID was available for mobile phones or any device running a Java VM. For a few days, the same application is available for the iPhone!
The application is available for free and quite easy to implement with your existing RSA infrastructure. My company provides RSA tokens to connect to SSL or IPSEC VPNs. That was a good opportunity to perform some test with my iPhone.
I asked my local admin (thanks Steven!) to create and assign a new software token to my account and I received an e-mail with a link like this:
Note: If your local admin uses Outlook to send you the token URL, it will be incorrectly formated! (an extra “/” will be added: “ctf/?ctfDate=” and will prevent the RSA iPhone application to install the token). For more details, read this blogpost.
Read the received e-mail on your iPhone and open the link. The RSA application will be started and automatically install the token. Once done, the next steps will depend on your local RSA installation. Check with your local admin for details. In my case, the token was configured in “new-pin” mode. During the first authentification, the system asked me to configure a PIN code.
More details are available on the RSA website.