After breach at RSA, two-factor authentication options abound

A security breach involving the RSA SecurID authentication technology just weeks before the Infosecurity Europe conference is providing a boost to rival vendors of two-factor and multifactor authentication.

We have seen a massive fallout from what has happened at RSA. 

Jason Hart, senior vice president, CRYPTOCard

RSA, the security division of EMC Corp., revealed March 22 that information related to its SecurID products had been stolen in a cyberattack. According to the details released two weeks ago by RSA, attackers installed a backdoor and a variant of the Poison Ivy remote administration tool, reaching out to a remote command-and-control server and navigating through RSA's sensitive systems to pilfer data.

Normally companies offering alternative two-factor authentication options might hope, at best, to pick up some of the crumbs that fall from RSA’s bountiful table of customers; this time, they see an opportunity to win over customers in larger numbers.

“We have seen a massive fallout from what has happened at RSA,” said Jason Hart, a senior vice president at Bristol-based CRYPTOCard. “On a daily basis we are getting RSA customers calling. It’s not solely about the security problem, but it has made companies look at the alternatives.”

His company plans to launch a new cloud-based authentication service at Infosecurity that can work with a range of different hardware-based tokens, as well as soft tokens and SMS messages delivered to mobile devices. “We can have 6,000 users up and running in less than 15 minutes,” Hart said, adding that the cost of the service is “less than the price of a cup of coffee per month.”

For Cambridge-based Signify, which runs a hosted authentication service based on RSA’s SecurID, the main emphasis at Infosecurity will be on the value of a good service when things go wrong.  CEO Dave Abraham said when news of the RSA breach broke, calls and emails started to come in from concerned clients.

“By lunchtime on the first day, around a third of customers had got in touch to ask what they should do,” he said. The company supports around 250 customers and their 65,000 users, with 85% of them using SecurID and the rest receiving one-time password via SMS.

He said Signify has followed RSA’s advice to keep a close eye on system logs to check for conditions that might indicate an unauthorised user trying to get in, but has seen no attacks thus far. The company has also decided to obfuscate part of the serial numbers of tokens in any of the management reports it provides for clients, thereby depriving any potential attacker of vital information.  

“Only a couple of our client companies have asked about switching from SecurID, although others may be looking at alternatives,” Abraham said. “One of the things we’ll be gauging at Infosecurity is whether the world has changed and RSA is no longer the market leader. Or people may see it as a blip, and see that RSA handled it pretty well.”

For Berkshire-based SecurEnvoy, the show offers an opportunity to propose an interim solution for worried SecurID customers, based on its tokenless authentication product, which uses SMS messages to deliver one-time passcodes to users’ mobile phones.

“We don’t expect people to write off [RSA's] tokens without doing some research,” said the company’s sales director Steve Watts. “At Infosec, we’ll be explaining what the RSA breach means to them, and taking them through what their options really are longer term. We’re not going to be scaremongering.”

He will be suggesting the companies sign up for SecurEnvoy’s ICE (in case of emergency) service, which would allow them to move quickly to an SMS-based service while they appraise the situation with RSA. “We can be operational on your site within an hour, and deploy to 20,000 users per hour. It can be a cloud-based service, or locally hosted,” Watts said.

The company will also be using the show to launch a soft token for iPad and iPhone, which users will be able to download and install from the Apple AppStore. In the case of this product, the device creates six-digit passcodes rather than receiving them from the central server via SMS.

Alternative approaches
One company offering an alternative approach to two-factor authentication is Huntingdon-based GridSure. Rather than sending the user a passcode, Gridsure generates a matrix of numbers, usually 5 x 5, although it can be larger.

Having memorised a certain pattern on the matrix which only they know – such as an L-shape near the bottom righthand corner of the matrix – users key in the four digits that make up their secret pattern.

GridSure will be demonstrating its new GrIDsure Enterprise Login version 4, which can also be used in conjunction with common VPN platforms such as Juniper SA and Microsoft Forefront Unified Access Gateway, as well as Microsoft’s Direct Access VPN product. The company also plans to launch new versions for iPad and iPhone, downloadable from the Apple AppStore, which will allow those devices to use pattern-based authentication.

GridSure will be facing competition from newcomer Winfrasott, however, which is launching its own pattern-based authentication product, called pin+, which works on a 6 x 6 matrix.