SMS Authentication:

S
10 Things to Know—Before You Buy
WHITE PAPER
WH

Introduction
Benefits Delivering instant remote access is no longer just about remote employees. It’s about enabling
• Improve security
customers to perform online transactions, mobile sales reps to access ERP applications,
• Reduce security costs outsourced call centers to share the customer database, and more. While ensuring reliable,
• Boost deployment instantaneous access is a must, so, too, is the need to guard against breaches and ensure
opportunities continuous compliance. In this business environment, strong authentication—using multiple
factors to ensure users are indeed who they claim to be—is vital. As they evaluate the
alternatives, many organizations are opting to use SMS authentication, which offers a mix of
convenience and security that make it ideally suited to many usage scenarios.

SMS Authentication: Promising an Unparalleled Combination of Security

and Convenience
SMS authentication combines the security of two-factor authentication with the convenience
and simplicity of mobile devices and SMS messages. The SMS authentication process can
vary, but, generally, a user looking to gain remote access submits a request for a password,
which is then fulfilled via SMS to the user’s authorized phone. This password is then used to
gain account access.

SMS authentication can present a number of significant benefits:

• Improve security. SMS authentication delivers two-factor authentication that offers
a number of security advantages over basic user name and password access, helping
provide a strong layer of protection for user access and identities.

• Reduce security costs. Compared to hardware-based token approaches, SMS

authentication can provide both significant up front savings—by reducing token
purchases and distribution costs—and over the long term by streamlining administration
and eliminating the cost of replacing lost tokens.

• Boost deployment opportunities. By eliminating tokens from the equation and

relying instead on ubiquitous mobile devices, SMS authentication brings two-factor
authentication to a range of arenas where it would have been previously impractical—
online banking, e-learning education portals, authenticating voice-based system access,
healthcare sites, and more.

SMS Authentication: 10 Things to Know—Before You Buy White Paper 1

SMS Authentication: 10 Key Considerations
SMS authentication offers numerous advantages and benefits. In addition, its deployment
characteristics can make it an ideal complement to an organization’s existing security and
authentication mechanisms. To assess whether SMS authentication fits their specific needs,
business and IT managers should consider the following areas:

1. End User Convenience

Paramount to the success of any authentication initiative is that end users ultimately use the
mechanisms in place—and don’t suffer lost productivity as a result. Toward that end, decision
makers should look for solutions that offer self-service activation so users don’t need to wait for
help from a support representative. In addition, the setup process should be intuitive, fast, and
simple.

2. Broad Device Support

The cost savings of SMS authentication, and the elimination of the need to buy, ship, and support
hardware tokens, are undeniable. However, those savings can start eroding quickly if an SMS
authentication solution necessitates the purchase of new mobile devices. Look for solutions that
offer the broadest device support to ensure the devices your organization has today, and may
acquire tomorrow, are supported.

3. SMS Network Support

In a given enterprise, users across an organization may rely on a host of networks, in various
regions, during their daily work and travels. To be truly viable, SMS authentication mechanisms
need to support all SMS service provider networks.

4. Over-the-Air Deployment and Activation

To realize their full deployment potential, SMS authentication solutions simply can’t require that
security teams have physical access to end user’s mobile devices. Consequently, remote, over-
the-air mechanisms—not only for initial deployment and activation, but for ongoing updates and
changes—are essential.

5. Ease of Management
For the administrators of SMS authentication solutions, there are several factors for assessing
efficiency. Does the solution offer eamless integration with existing user directories, such
as LDAP and Active Directory? In the case of a lost or stolen device, can administrators
quickly and easily revoke access? Also, look for solutions that offer automatic administrator
notifications. Whether it’s an issue caused by a lost device, a compromised internal server, or
any other potentially threatening event, administrators need to be notified automatically—and
immediately—to ensure they can promptly take the remediation steps required.

6. Heterogeneous Authentication Management

One type of authentication will not typically address the security and business needs of an entire
enterprise. SMS authentication may be one of many authentication solutions in place at a given
time. If an SMS authentication solution requires its own separate management system, it can
usher in complexity in terms of enforcing policies, managing changes in user and group status,
and in a host of other areas.

Therefore, it is critical to deploy solutions that can be integrated with a central management
platform that can be used to control all enterprise authentication; whether it’s simple, one-
time-password solutions, robust certificate-based digital signing applications, USB tokens or
software-based solutions, or hybrid, physical and logical security systems. Finally, this broad
support is vital for the true utility of SMS authentication in its own right. If a solution offers the
flexibility not just to do SMS, but OTP to e-mail, SMTP delivery, and more, the utility and value of
that solution increases substantially.

SMS Authentication: 10 Things to Know—Before You Buy White Paper 2

7. Robust Security
In the end, any authentication mechanism needs to deliver robust security. Solutions need
to offer powerful identity protection for all types of remote access systems, including VPNs,
Terminal Servers, Citrix applications, and Outlook Web Access. Here again, the broadest possible
adoption with existing policy management and security mechanisms is vital—it fosters more
uniform policy enforcement and minimizes security gaps. Look for solutions that offer a strong
combination of granular policy controls, and centralized management of diverse users and
groups.

8. Authentication Strength
Not all authentication mechanisms are created equal. In evaluating alternatives, it is important
to ensure that the authentication method ultimately employed meets at least the minimum
level of protection warranted by the assets involved. Look at the worst-case scenario—what
would happen if an attacker successfully compromised the credentials of an authorized user
and was able to access corporate resources? The level of authentication strength should be
commensurate with the severity of this exposure.

9. Broad Delivery and Business Model Support

SMS authentication can present a wealth of new opportunities to leverage strong authentication
in entirely new ways, which can present both transformational security and business benefits.
To realize these potential benefits, both immediately and in the long term, businesses should
adopt SMS authentication solutions that are part of a comprehensive security framework. By
eliminating the deployment of numerous, disparately managed point solutions, organizations can
gain optimal opportunities for new applications, while minimizing costs.

10. Low Total Cost of Ownership

Inherently, SMS authentication solutions can present significant cost advantages, particularly
when compared to the distribution and maintenance of hardware tokens. Beyond these benefits,
organizations can profit from ongoing cost savings by leveraging those solutions that do the best
job of streamlining up front deployment and ongoing maintenance. To do so, security teams need
the broadest integration flexibility, end user self-service capabilities, and easy administration.

Conclusion
For many organizations, SMS authentication can present a host of benefits to organizations
looking to improve security while maximizing the productivity of end users and administrative
staff. In choosing any authentication solution, organizations will be well served by taking many
key considerations into account, including deployment characteristics, convenience for end
users, centralized management, overall security, and more.

About SafeNet Authentication Solutions

SafeNet authentication solutions ensure easy and secure strong authentication for employees,
partners, and customers and cover the entire spectrum of security needs, from remote access
to advanced certificate-based applications. In addition, SafeNet offers the token management
systems that streamline deployment, provisioning, and ongoing maintenance. SafeNet’s
token management systems support the company’s entire range of hardware and software
authentication solutions, which offers even further benefits in administrative efficiency—while
enabling organizations to tailor authentication approaches to specific risk levels and use cases.

OTP Authenticators
• eToken PASS. The eToken PA SS is an OTP token that offers two-factor strong
authentication in detached mode. eToken PA SS is available in both time and
event-based versions.

• GOLD. GOLD is an event-based OTP token that offers strong, two-factor

authentication. It also supports challenge response functionality which offers
an additional layer of security by generating the OTP only after users enter a
PIN code on the token keypad.

SMS Authentication: 10 Things to Know—Before You Buy White Paper 3

Certificate-Based Authenticators (PKI)
• eToken PRO. The eToken Pro is a smartcard USB token that provides two-factor
strong authentication, advanced security applications, digital signatures, and
cost-effective password management.

• eToken PRO Anywhere. The eToken Pro Anywhere is a clientless smartcard

USB token that leaves zero footprint on end-user computers. It combines the
strength of certificate-based, two-factor authentication with the plug-and-
play simplicity and mobility of OTP.

• iKey 2032. The iKey 2032 is a smartcard USB token that offers two-factor
authentication, advanced security applications, and digital signatures.

• iKey 4000. The iKey 4000 is a smartcard USB token that offers multi-factor
authentication with optional match-on card biometric functionality.

• eToken PRO Smartcard. The eToken Pro is a credit card form factor
authenticator that supports password management, digital signatures, and
advanced security applications.

• SafeNet Smartcard 400. The SafeNet Smartcard 400 is a credit card

form factor authenticator that supports certificatebased, multi-factor
authentication and advanced security applications.

Hybrid Authenticators
• eToken NG-OTP. The eToken NG-OTP is a hybrid USB token that supports both
OTP and certificate-based authentication.

• eToken FLASH. The eToken NG-FLASH is a certificate-based, strong

authentication USB token with on-board encrypted storage. eToken NG-FLASH
is available in sizes ranging from 1GB to 16 GB.

Software Authenticators
• MobilePASS. MobilePA SS is a software-based OTP authenticator that
combines the security of two-factor strong authentication with the
convenience of one-time passwords generated on Windows desktops and a
range of mobile devices, including iPhone, BlackBerry, and Windows Mobile
platforms. For additional flexibility, it also supports SMS delivery to mobile
devices.

• eToken Virtual. eToken Virtual is a certificate-based, two-factor authentication

solution that provides full PKI functionality, including secure remote access,
network access, and digital signing in a software-based solution.

To learn more about SafeNet Authentication Solutions, visit www.SafeNet-Inc.com/

authentication

About SafeNet
Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its
customers’ most valuable assets, including identities, transactions, communications, data
and software licensing, throughout the data lifecycle. More than 25,000 customers across
both commercial enterprises and government agencies and in over 100 countries trust their
information security needs to SafeNet.

Contact Us: For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: www.safenet-inc.com/connected
©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (A4)-09.07.10

SMS Authentication: 10 Things to Know—Before You Buy White Paper 4

Contact Us: For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: www.safenet-inc.com/connected
©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (A4)-09.07.10

SMS Authentication: 10 Things to Know—Before You Buy White Paper 5