Passcode Delivery Options
Bomgar Verify utilises a self-management interface known as "Manage My Token", this web portal allows the user to not only enroll themselves initially, but thereafter can manage the life cycle of their device. For instance upgrading soft token from one phone type to another, they simply visit manage my token portal, where they can re-provision their new phone and automatically their previous one.
Consideration should be given as to whether this web portal is published directly upon the internet or only allowed for internal use. Bomgar Verify recommends that this is published externally as the portal is protected with two-factor authentication and will lead to significantly fewer support calls, if users are allowed to manage their own devices.
The user's mobile phone can receive a one time passcode (OTP) via SMS, voice call, or be generated upon the phone with the Bomgar Verify Soft Token. Furthermore, Bomgar’s patented approach provides a far greater range of tokenless types: the passcode sent via SMS can be delivered in real time, pre-loaded as an OTP, pre-loaded with 3 OTP, or a reusable Daycode.
In addition, Bomgar Verify has the ability to support VOICE tokens, by sending a voice call directly to a physical land line, DDI extension. The user first enters their PIN or passcode, after which a six digit passcode is displayed. At the same time a phone call is automatically made. The user answers the phone and enters this passcode on the phone’s keypad. This is recommended for users who only have access to a land line or do not have a smart phone and cannot receive SMS reliably. This allows the user to keep working, even if the user may not be in an area of good GSM coverage when they require their passcode.
Bomgar Verify Soft Tokens for your phone or desktop can be used to generate one time passcode (OTP) for two-factor authentication that can be checked by your company's Bomgar Verify server or Google’s cloud login. Quick Response codes are an excellent method to display a bar code matrix for the deployment of the “seed record” for the end user's Soft Token. The user only has to scan the QR code with their phone's camera to ensure a fully automatic enrollment process to a Bomgar Verify Soft Token.
The eighth version of SecurAccess takes our industry-leading mobile, two-factor authentication platform and adds even easier authentication with soft token Push based notifications. It supports Support for ‘push’ notification within the app and support for push on ‘Wearables’ and all phones & tablets.
Bomgar Verify One Swipe provides a simple user experience, easier than a password with the added strength of 2FA. Bomgar Verify extends its phone app to provide One Swipe single sign on, via a One Time QR code.
Soft Token’s are available for all Smart phone applications as well as a P.C. and MAC OS soft token.
Understanding the various methods that Bomgar Verify support for delivering and managing Passcodes.
Email delivery is not user selectable as Bomgar Verify recommends that this method of passcode delivery is configured by Administrators who understand the implications of email. SMTP traffic is not an encrypted protocol, Administrators must be able to make decisions regarding email delivery, as it may be that a Blackberry system is in place with end to end secure email delivery.
With the advent of smart phones, Bomgar Verify leverages all leading brands and provides an elegant solution to provision a phone Soft Token. Users engaging in this approach do not require any GSM or data connection as the OTP is generated directly upon the smart phone.
SMS Delivery is Delayed
Although most SMS text messages are transmitted in seconds, it’s common to find them delayed when networks become congested. SMS traffic is not sent point to point, it is ‘queued’, and then sent on to the required network cell, where it is again queued and finally sent to the end users phone. This queuing gives rise to delays at peak operator periods.
Vodafone’s own sales literature claims that 96% of all SMS messages are delivered within 20 seconds. This means that 4% of users trying to authenticate will fail and will need to raise a help desk call to gain emergency access. Thus for a deployment of 5000 users authenticating each day, 200 help desk calls would be raised per day!
Signal Dead Spots
Mobile phone signals are not always available, particularly in buildings with wide outer walls, in underground basements or in computer rooms that give off high RF noise. Consider a user trying to authenticate in one of these locations. They would first enter their UserID and PIN and would then fail to receive their authentication code. They would next need to move to a location that has a signal, receive their authentication code, then move back to the original location to enter their passcode, all within a timeout period of 2 minutes! Users located within these locations would have no alternative but to raise help desk calls to gain emergency access.
Mobile Phone is Used to Connect to the Internet
In most cases when a mobile phone creates a data connection, it can’t receive SMS messages. Users trying to utilize their mobile phone as a way of connecting to the Internet would not receive their passcode until they hang-up the data connection. End-users would need to start authenticating the UserID and PIN, hanging up the connection, waits for the SMS message, reconnects and re-enter their UserID, Pin and Passcode, all within 2 minutes.
Why Pre Load Passcodes
The key strategy for successful use of SMS for delivering passcodes is resolving intermittent network coverage and SMS delivery delays. SecurAccess is fundamentally designed to resolve these issues by utilising:
- Pre-loaded one time passcodes (each authentication attempt sends the next required passcode)
- Three pre-loaded one time passcodes with each message (3 authentications before requiring the next message)
- Reusable session passcodes that change each day or multiple days
- Optional self-help web interface to allow users to request temporary passcodes
- Passcodes can be sent via email
Real Time SMS Delivery
There are times when a Pre Load SMS passcode is not acceptable for certain deployments; these tend to be ecommerce type environments where a user logs on infrequently to the network or web resource.
In these scenarios Bomgar Verify has the ability to allow a “Real Time passcode” delivery option. The user typically would log onto a resource with their UserID and password, at this point a SMS passcode is sent to their registered mobile phone. The SMS passcode can be set with a time to live in minutes to provide additional security around the logon.
- Real Time Delivery can be enabled upon a per user basis
- Passcode "time to live" is configurable from 1-99 minutes
- Works with existing Bomgar Verify IIS web agent and Radius clients that support "Challenge-Response"
Bomgar Verify’s approach to soft tokens is based on zero management time for the IT or admin staff as the end-user downloads and provisions the apps themselves without any interaction with the corporate helpdesk or IT staff. Multiple token seeds can be stored in each soft token.
More flexibility for the User
The latest Bomgar Verify server V6 allows user far greater choice of security - either tokenless SMS two factor authentication or a soft token downloaded as an app such as this. Available free of charge to current customers from either Bomgar Verify or Google Authentication, soft tokens are suitable for most types of mobile devices i.e. iPhones, iPad’s, Blackberry’s, Android phones, Mac and Windows operating systems including Vista and Windows 7.
A Simple Process
For the organisation there is nothing they need to do. It is all down to personal preference of the end-user to choose whether they want their two factor authentication passcode sent via SMS or via their app.
The user simply:
- Visits the app store - either Bomgar Verify or Google, and downloads the app
- Logs into the Bomgar Verify enrolment page - cleverly they can authenticate themselves with their current username and passcode
- A barcode appears on the screen which the user scans with the camera button on their phone
- Within 60 seconds the user can be authenticated and start using their phone as a soft token.
- In the case of the P.C. Soft Token, the user only has to authenticate with the built in interface from the client. The SEED is automatically deployed with no user intervention. (Please see P.C. Token manual for more information)
|Mobile Phone "Soft Token"||P.C. "Soft Token"|
iOS Soft Tokens - Push Notifications
The latest Bomgar Verify iOS soft token application ships with Push Notification functionality. When a user authenticates with Bomgar Verify 2FA a push notification message is sent to the notification center or status bar of a users’ iPhone. The user can simply choose to accept or deny the authentication request from within their soft token application.
There is a way to disable push per authentication attempt using the –nopush switch.
-nopush this disabled push and its associated delay
Userid = qa1
Password = Password123-nopush
- This should disable push and reply with a passcode prompt without a delay
Soft Tokens - Near Field Communication
The current Soft Token One Swipe method works as follows: the user generates, in the soft token app for smartphones, a one-time QR code that contains important login and user information and then simply holds this code in front of a webcam on a laptop or tablet in order to prove his/her identity and thus gain access to the network. Near Field Communication technology provides the user with the option to transmit via NFC chip instead of scanning this QR code.
Bomgar Verify’s approach to VOICE tokens is based on complete "ease of use" to the end user. Unlike other industry methods where the user has to remember the passcode content of the prerecorded voice message, then entering this into the logon screen. Bomgar Verify session locks the Internet and Phone session together, whilst providing a seamless logon experience, the user doesn’t have to remember the passcode, but only has to read the passcode from the logon screen and enter this upon the phones keypad.
This simple logon scenario can be accomplished via Web and also VPN type connections. The user accesses the point of logon and enters their UserID and PIN (typically a domain password) they are then confronted with the logon challenge. The user then receives a real time voice call, at which point they then input the displayed passcode (OTP) via the phones keypad. Once complete the voice call automatically hangs up, the user then selects the "Login" button to complete the process.