SMS

From Swivel Knowledgebase
Jump to: navigation, search


Overview

Swivel can use Short Messaging Service (SMS) Text message to send users a One Time Code (OTC) for authentication, using the mobile phone as a device for two factor authentication. Swivel supports the following:

  • SMS sent in Advance
  • SMS sent on Demand

As an alternative to SMS text messaging see Mobile Phone Client. For alternative authentication see Authentication Methods.


SMS sent in Advance

When the user account is created the user is sent their first One Time Code. This helps to overcome network delivery issues as the user has an OTC on their mobile phone ready for authentication. If a user passes or fails an authentication, then they are sent their next OTC. If the message is deleted, the user can request a new text message.

This method also allows multiple OTC's to be sent in a single text message, see Mobile Security String Index


SMS sent on Demand or Request

When the user is making an authentication the user requests an SMS text message to be sent to them. The user then has a limited time to login using the OTC within the Text Message. This is On Demand Authentication and the length of time that the SMS is valid for is configurable, with a default of two minutes. The text message is usually requested by the following methods:


Flash SMS

Some SMS gateways support the use of Flash SMS, which appears on the screen immediately upon arrival and unless it is saved, it is deleted. Flash SMS is usually used for On Demand authentication.


Integrating with SMS

Integrating the login

Integration of login portals is usually straight forward with SMS, although if TURing and Pinpad images are used, then these should not be automatically generated as a login will be expected using those methods. When using Challenge and response with RADIUS, then no changes to the login page may be required.


Sending SMS messages

SMS messages are usually sent through an SMS Gateway, although it is possible to use a GSM Modem.


SMS Security

SMS may be vulnerable to the below attacks. To overcome these PINsafe Protocol may be used to protect the OTC, see PINsafe User Guide.

  • SMS Forwarding, particularly on Smart Phones
  • Physical theft of the phone
  • SIM cloning
  • SMS eavesdropping
  • Shoulder surfing