You’ve probably encountered one of the website authentication schemes that work by sending a one-time code to your smartphone and having you enter it online. The Mobile Transaction Authentication Numbers (mTANs) used by many banks are one example. Google Authenticator lets you protect your Gmail account in the same way, and various other services—LastPass, for example—support it as well. Unfortunately, the bad guys already know how to subvert this type of authentication. TextKey’s SMS authentication is a new approach, one that protects every stage of the authentication process.
Turn It Around
Old-style SMS authentication sends that one-time code to the user’s registered mobile number. There’s no way to be sure that code wasn’t caught by malware or intercepted using a clone of the phone. Next, the user types the code into the browser. If the PC is infected, the transaction may be compromised. In fact, a Zeus variant called zitmo (for “Zeus in the mobile”) performs a tag-team attack, with one component on the PC and one on the mobile cooperating to steal your credentials, and your money.
TextKey reverses the entire process. It doesn’t text anything to you. Instead, it displays a PIN after you enter your username and password and asks you to text that PIN to a specified short code. Cellular carriers work really hard to make sure one phone number matches exactly one device, so if the TextKey server receives the message at all, it means the carrier has already validated the phone number and the phone’s UDID. Right there, TextKey gets two added authentication factors for free!
The PIN is different every time, and it’s only valid for a couple of minutes. The short code varies too. And a website using TextKey for authentication can optionally require each user to create a personal PIN that must be added to the beginning or end of the one-time PIN.
What happens if a co-worker shoulder-surfs the screen with the PIN and short code, or a malicious program reports your texting activity to its owner? If the TextKey system receives the right PIN from the wrong phone number, it doesn’t merely reject the authentication. It also logs the phone number as a fraud, so the site owner can take appropriate action.
Click this link to give TextKey a try. For demonstration purposes, you’ll enter your phone number; in a real-world situation the number would be part of your user profile. Note that you can trigger the fraud alert by entering a number other than your own.
How Do You Get It
Alas, TextKey is not something you can implement as a consumer. You can only make use of it if the bank or other secure site has implemented it. Small businesses can contract for TextKey authentication on a security-as-a-service basis, paying from $5 down to $0.50 per user per month, depending on the number of users. That’s a flat monthly fee, for any number of logins. Big scale operations hosting their own TextKey servers pay a setup fee as well as the per-month fee.
This scheme may not be 100 percent uncrackable, but it’s vastly tougher than old-school SMS authentication. It goes way beyond two-factor; TextPower calls it “Omni-Factor.” You have to know the password, possess the phone with the correct UDID, enter the displayed PIN, optionally add your personal PIN, send the text from your registered phone number, and use the random short code as a destination. Confronted with this, the average hacker will probably slink off and crack a few bank mTANs instead.