Difference between revisions of "SMS"
m (1 revision imported)
Latest revision as of 12:52, 11 May 2017
Swivel can use Short Messaging Service (SMS) Text message to send users a One Time Code (OTC) for authentication, using the mobile phone as a device for two factor authentication. Swivel supports the following:
- SMS sent in Advance
- SMS sent on Demand
SMS sent in Advance
When the user account is created the user is sent their first One Time Code. This helps to overcome network delivery issues as the user has an OTC on their mobile phone ready for authentication. If a user passes or fails an authentication, then they are sent their next OTC. If the message is deleted, the user can request a new text message.
This method also allows multiple OTC's to be sent in a single text message, see Mobile Security String Index
SMS sent on Demand or Request
When the user is making an authentication the user requests an SMS text message to be sent to them. The user then has a limited time to login using the OTC within the Text Message. This is On Demand Authentication and the length of time that the SMS is valid for is configurable, with a default of two minutes. The text message is usually requested by the following methods:
- Button on the login page
- Challenge and response, where user enters a username and Password
- Taskbar utility
Some SMS gateways support the use of Flash SMS, which appears on the screen immediately upon arrival and unless it is saved, it is deleted. Flash SMS is usually used for On Demand authentication.
Integrating with SMS
Integrating the login
Integration of login portals is usually straight forward with SMS, although if TURing and Pinpad images are used, then these should not be automatically generated as a login will be expected using those methods. When using Challenge and response with RADIUS, then no changes to the login page may be required.
Sending SMS messages
SMS may be vulnerable to the below attacks. To overcome these PINsafe Protocol may be used to protect the OTC, see PINsafe User Guide.
- SMS Forwarding, particularly on Smart Phones
- Physical theft of the phone
- SIM cloning
- SMS eavesdropping
- Shoulder surfing