Two-Factor Authentication over Mobile: Simplifying Security and Authentication



Similar documents
Two-Factor Authentication: Tailor-Made for SMS

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

R49 Using SAP Payment Engine for payment transactions. Process Diagram

A Review of Mobile Messaging Use Cases

GR5 Access Request. Process Diagram

SAP Best Practices for SAP Mobile Secure Cloud Configuration March 2015

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

Price and Revenue Management - Manual Price Changes. SAP Best Practices for Retail

SAP Solution Manager: The IT Solution from SAP for IT Service Management and More

Deliver Secure, User-Friendly Access to Mobile Business Apps

SAP Document Center. May Public

Simplify and Secure Cloud Access to Critical Business Data

SAP Mobile Documents. December, 2015

Partner Certification to Operate SAP Solutions and SAP Software Environments

Mobile app for Android Version 1.2.x, December 2015

Your Intelligent POS Solution: User-Friendly with Expert Analysis

Control Traffic from Grey Routes and Boost Enterprise Messaging Revenue

Mobile app for ios Version 1.10.x, August 2014

K75 SAP Payment Engine for Credit transfer (SWIFT & SEPA) Process Diagram

K88 - Additional Business Operations for Loans. Process Diagram

SAP Business One mobile app for Android Version 1.0.x November 2013

Multi Channel Sales Order Management: Mail Order. SAP Best Practices for Retail

Mobile app for Android Version 1.0.x, January 2014

Mobile app for ios Version 1.11.x, December 2015

SuccessFactors Global Human Capital Management (HCM) Academy and Admin Training Schedule (Q3 Q4 2014)

Cost-Effective Data Management and a Simplified Data Warehouse

Integration capabilities of SAP S/4HANA to SAP Cloud Solutions

STRONGER AUTHENTICATION for CA SiteMinder

Streamline End-to-End Payment Processes on a Central Platform

SAP Mobile Services Enterprise Knowledgebase Overview and Access Guide

Setting up Visual Enterprise Integration (WM6)

Elevate Your Customer Engagement Strategy with Cloud Services

Reduce Costs and Improve Materials Management with Mobile Technology

Drive Retail Sales and Enhance Loyalty by Streamlining Your Contact Center

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

PSM-PPM Integration SAP Product Structure Management

Citrix Receiver. Configuration and User Guide. For Macintosh Users

Powering Content-Rich Customer Success Centers for Omnichannel Support

Effortless Customer Service with SAP Cloud for Service

EMC: Managing Data Growth with SAP HANA and the Near-Line Storage Capabilities of SAP IQ

How to Configure an Example SAP Cloud Applications Studio (PDI) Solution for SAP Cloud for Customer

Two UX Solutions Now Included with SAP Software

Streamline Processes and Gain Business Insights in the Cloud

Use Your Contact Center to Build a Better Customer Experience

FA7 - Time Management: Attendances/Absences/Overtime/Hajj Leave. Process Diagram

Help Users Rapidly Adopt New Technology for a Faster Return on Investment

Integration Capabilities of SAP S/4HANA to SAP Cloud Solutions

Run Better in Weeks to Address Current and Future Business Needs

Streamline HR Tasks with Centralized Document Access

Find New Customers and Markets by Analyzing Mobile Network Operator Data

Cybersecurity and Secure Authentication with SAP Single Sign-On

TAKISADA-OSAKA: Facilitating Sales, Speeding Delivery, and Improving Service with SAP Mobile Platform

Securing Enterprise Mobility for Greater Competitive Advantage

Sun Communities: Reducing Manual Processes for New Hires by 97% Using SuccessFactors Onboarding

Automotive Consulting Solution. CHEP - EDI- Container Data

Adopt New SAP Software and Technology Early and Win

Reimagining Business with SAP HANA Cloud Platform for the Internet of Things

In-Store Merchandise and Inventory Management. SAP Best Practices for Retail

Business-Driven, Compliant Identity Management

SAP-Managed Migration to SAP Business Suite powered by SAP HANA in the Cloud

Integrated solution for subsidiaries, suppliers and franchises powered by SAP HANA

Get Growing with the Starter Package for SAP Business One

Automate Complex Pay Rules While Streamlining Time and Attendance Management

Integrated Finance, Risk, and Profitability Management for Insurance

Empowering Teams and Departments with Agile Visualizations

Visualization Starter Pack from SAP Overview Enabling Self-Service Data Exploration and Visualization

Engage Customers with Service Excellence

Downport to SAP GUI for documents Access Control Management

SFSF EC to 3 rd party payroll Integration Software and Delivery Requirements

Build Better Social Relationships and Realize Better Results

Complementary Demo Guide

Learning Without Limits

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Why Cloud Platforms are the Secret Weapon to Make Your Business More Agile and Competitive

SRCH2 Solution Brief SRCH2 Solutions for Device Information Management. Powerful Mobile Collaboration and Device Management with SRCH2

Keep Enterprise Assets Productive with Effective Master Data Governance

Accelerate Time to Value and Innovation Through Complete Contract Management

Software and Delivery Requirements

How to Deliver a Coordinated Customer Experience across Every Channel

ACHIEVE DIGITAL TRANSFORMATION WITH SALES AND SERVICE SOLUTIONS

Speed Business and Delight Customers with Signature Management

Remote Connectivity Infrastructure

Driving Customer Value leveraging SAP s strategy for the Internet of Things Internet of Things Technology Forum Frankfurt

SAP Single Sign-On 2.0 Overview Presentation

Streamline Accounts Payable Processes with Cloud-Based Electronic Invoicing

Simplify Field Service Management with SAP Solutions

Deliver Community-Powered Commerce to Optimize Revenue

SAP Learning Hub: Your Competitive Advantage for a Career in SAP Solutions

HealthWyse: Meeting the Financial, Clinical, Analytical, and Reporting Needs of Home Care Agencies

An End-to-End Population Health Management for High Risk Patients

SAP Audit Management A Preview

A brief on Two-Factor Authentication

Software and Delivery Requirements

Improve Field Service Performance with Augmented Reality Software and Smart Glasses

Add Location Intelligence and Analytics into Your BI, Dashboard, and Mobile Apps

Transcription:

SAP Thought Leadership Paper SAP Mobile Services Two-Factor Authentication over Mobile: Simplifying Security and Authentication Controlling Fraud and Validating End Users Easily and Cost-Effectively

Table of Contents 4 Selecting the Key Factors for Two-Factor Authentication 5 Establishing Safeguards for Two-Factor Authentication 6 Enabling Security and Confidence with SMS-Generated Passcodes 7 Using Push Notifications as a Channel Smartphone Simple and More 8 Incorporating the Inherence Factor ABOUT THE AUTHOR William Dudley is group director and mobile evangelist of global strategy and solutions at SAP. He has almost 30 years of experience building and managing telecommunications network infrastructures. He defines global strategy and solutions for SAP Mobile Services, a division of SAP, within the mobile ecosystem, focusing on solutions for messaging, next-generation networks (LTE, IPX), and mobile consumer engagement. As mobile evangelist, Mr. Dudley communicates through both internal and external publications and is active in industry groups. 2 / 8

Two-factor authentication (2FA) is a means of controlling fraud and verifying end users. It can be implemented in a number of forms, by using software or hardware tokens or engaging through mobile devices. When implemented correctly especially when using mobile devices 2FA is a low-cost solution that is easy to implement, easy to use, and an effective deterrent to fraud thereby protecting both the end user and the enterprise. 3 / 8

Selecting the Key Factors for Two-Factor Authentication 2FA is a form of multifactor authentication. It requires at least two authentication factors, which may comprise: A knowledge factor something only the user knows, such as a password or personal identification number (PIN) A possession factor something only the user possesses, such as an ATM card, mobile device, or hardware token An inherence factor something unique to the user, such as a fingerprint or retina pattern 2FA is often used in situations where the user must be accurately identified. A common illustration is the ATM usage scenario. The user swipes an ATM card (something the user possesses) and then enters a secret PIN (something the user knows). Without both authentication factors working, the user can t withdraw cash from the ATM. For many years, to secure access to corporate or government systems and more, organizations around the world have relied on hardware tokens (something that you have) along with user IDs and passwords (something that you know). Recently, enterprises also have been able to make use of mobile devices as a common something that you have. Using mobile devices for 2FA opens up a variety of use cases that make it difficult for many hardware-based key fob devices to adequately compete. For example, many smartphone apps can generate 2FA PIN codes of varying lengths that replace the dedicated hardware token. Such apps use industry standard algorithms to generate PIN codes that synchronize with server-side applications and Web sites to enable a second authentication for end users. The goal of 2FA is to reduce instances of online fraud such as monetary theft or identity theft. While there are variations in the manner in which an individual can be authenticated (including the something that you are the inherence factor), the strength of 2FA lies in the strength of its implementation in particular, the strength of the two factors that are used to identify the individual. 2FA aims to reduce online fraud. Its strength lies in the strength of the two factors that are used to identify the individual. 4 / 8

Establishing Safeguards for Two-Factor Authentication When 2FA is deployed in a mobile ecosystem, safeguards must be in place to allow 2FA implementations to function securely and at all. Safeguards may include: Providing the second authentication factor through SMS messaging Using a dedicated application to generate the second authentication Employing biometric sensors on the mobile device Delivering tokens through some other channel such as push notifications Each of these safeguards must be considered in light of the security offered, benefits obtained, ease of use, and ease of implementation. TWO-FACTOR AUTHENTICATION OVER SMS A popular way to deliver one-time passcodes or 2FA authentication tokens (PINs, alphanumeric codes, and so on) is to send the token to a registered mobile device in a text message. With growing digital transformation, social networks, digital commerce, and financial institutions often use 2FA for resetting passwords, authorizing users, and validating transactions. Delivery of 2FA tokens over SMS typically is reliable and quick and uses a medium that virtually every mobile device can support. As a delivery channel for 2FA tokens, SMS is easy to implement and easy for the end user to employ. Today, most mobile users have received some sort of 2FA code over SMS. It s a very popular means of providing a second authentication method. While software alternatives to 2FA over SMS are common, they usually rely on the user having a smartphone and downloading an app. In contrast, SMS is available to all mobile devices smartphone or not and in all regions. Enterprises looking to implement 2FA with mobile devices should consider SMS as their first choice. Typically implemented using simple application programming interface calls, SMS can deliver a passcode that is already generated or, better yet, it both generates and delivers the message and then authenticates the code entered by the end user. Additionally, SMS can integrate easily into existing workflows. In a mobile ecosystem, safeguards must be in place to allow 2FA implementations to function securely. 5 / 8

Enabling Security and Confidence with SMS-Generated Passcodes While SMS is not inherently encrypted as the messages are transmitted over mobile networks, it s still a high-security solution. 2FA tokens generally have a short expiration time usually no more than a few minutes. Further, there are limits as to how many times a user may try to enter a received code before being locked out of an application for a specific period of time. While no scheme is 100% secure, 2FA over SMS works because, in virtually all situations, it provides enough security and confidence to protect both enterprises and end users from fraud. The figure depicts sample SMSgenerated codes received on mobile devices. routing for 2FA traffic run the risk of their messages being delayed or blocked entirely (for example, leveraging the so-called grey routes for SMS). Figure: SMS-Generated One-Time Passcodes Supporting Two-Factor Authentication When SMS is used, the delivery provider should make use of as many direct mobile operator connections as possible, using all high-quality routes, since many of these 2FA tokens have short expiration times. It is imperative that these SMS messages comply with all regulations and best practices for the country for which they are intended. Service providers that offer lower-cost or least-cost TYPICAL USE CASES FOR TWO-FACTOR AUTHENTICATION OVER SMS Employing two-factor authentication (2FA) over SMS enables a number of use cases that support greater security and confidence for your enterprise. For example, 2FA over SMS allows you to: Automate mobile devices while managing unrecognized IP addresses Enable secure logins by requiring users to input an additional code sent to their mobile devices Confirm user registration while using verification codes to validate mobile devices Enable more secure e-commerce transactions by validating a transaction with a code sent to the mobile device Reset an end-user password by sending a one-time passcode to the user s mobile device Validate money transfers using one-time passcodes to confirm secure transactions Support marketing or couponing engagement by sending codes to mobile devices, so users can enter codes to obtain on-site savings 6 / 8

Using Push Notifications as a Channel Smartphone Simple and More 2FA over SMS isn t the only route that 2FA tokens generated in the cloud (or server side) can use to reach smartphones. They may also be pushed to devices over direct IP links using various mechanisms called push notifications, which are typically specific to the mobile operating system. When push notifications are used, the enterprise or app builder incorporates specific functionality within the mobile app through integration of software development kits (SDKs). Using SDKs, messages sent through the IP connections of a device can be displayed within the app as well as within the notification panels of mobile devices. Both displays are commonly used in Android and Apple ios devices. 2FA push notifications act very similarly to 2FA over SMS in the sense that the 2FA token is generated on the server side and then transferred to the mobile device. But with 2FA push notifications, instead of using SMS, the data is delivered directly to the mobile app. There are some limitations that should be noted with 2FA push notifications especially Android or native ios push notifications. Some native push messages can time out or be blocked by Wi-Fi firewalls, and some servers stagger deliveries, which can affect delivery time which is paramount for 2FA tokens. That noted, there are now implementations of push notifications such as the SAP Intelligent Notification 365 mobile service that overcome these limitations, making push a strong channel for 2FA token delivery. Push notifications work when there is already an enterprise or commerce app that can be leveraged for the purpose of displaying the 2FA tokens. Additionally, this channel is good for markets where most subscribers using the service are also using the mobile app even if they are engaging through the mobile app. These types of situations are perfect gateways to use a different second factor of authentication the something you are. Delivery of 2FA tokens over SMS typically is reliable and quick and uses a medium that virtually every mobile device can support. 7 / 8

Incorporating the Inherence Factor INCORPORATING THE INHERENCE FACTOR For in-app authentication, sometimes pushing or generating 2FA codes does not meet the criteria for true two-factor authentication. Instead, we must leverage characteristics about the users themselves the inherence factor, or the something they are. This authentication factor includes fingerprint sensors, retina scans, and other biometrics. For example, some mobile apps with high-value content such as financial information ask for a user ID and password (something you know or have) and then require a fingerprint scan (something you are). This type of authentication is still only limited to smartphones; however, with today s penetration of smartphones in most markets, it may eventually supersede other forms of second-factor authentications. SUMMARY The usage of a second authentication factor should always be considered as a means of protecting the interests of end users when engaging in the digital world over mobile devices. One of the first considerations should always be that the second authentication factor includes a mobile device something virtually everyone today has. For simplicity s sake, nothing really comes close to delivery of 2FA tokens over SMS. Unless you have specific requirements, 2FA over SMS can support many, many use cases. As authentication requirements become more sophisticated, the inclusion of push notifications and even biometrics through mobile devices should also be considered as strong alternatives to stand-alone hardware tokens and, in many cases, dedicated software-token generators. LEARN MORE SAP Mobile Services, a division of SAP, enables enterprises to aggregate messages globally and reliably. The SAP Authentication 365 mobile service is an end-to-end, portable, and configurable two-factor authentication (2FA) solution for multiple channels that include SMS, push notifications (such as the SAP Intelligent Notification 365 mobile service), and more. The SAP Authentication 365 mobile service is an authentication service add-on for SAP SMS 365, enterprise service. The mobile service provides: Integrated connectivity to SAP SMS 365, enterprise service, reaching almost 980 mobile networks through a single, standard interface Accurate and fast message routing, utilizing our advanced number resolution system to correctly identify the destination mobile network operator High-priority messaging delivery solutions that help ensure fast delivery of 2FA and one-time passcode (OTP) messages High-quality, approved routes for reliable delivery of all messaging, including 2FA and OTP messages Multiple configurability options for 2FA tokens, as well as a comprehensive administrative and analytics user interface Simple application programming interfaces for easy integration of 2FA capabilities into existing workflows 8 / 8 40481 (15/10) 2015 SAP SE or an SAP affiliate company. All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE s or its affiliated companies strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information