Authentication Tokens for BlackBerrys

by James Gaskin

August 23, 2006 —

Listen to the column "Authentication Tokens for BlackBerrys", or visit our Podcast Center to hear more by James Gaskin.

I've talked before about the increasing need for two-factor authentication, such as offered by CRYPTOCard in Authentication Security Improvements. Another way to think of this is a way to generate a One Time Password based on something the user knows (their PIN) and something the user has (a USB keyfob or SmartCard). Read about using certain cell phones with One Time Password software from Diversinet in Authenticating Millions, Part 2.

This newsletter heralds the release of CRYPTOcard's Authentication Token for BlackBerry. Rather than providing authentication for the BlackBerry (another good idea), the new CRYPTOcard software turns your 7000 and 8000 model BlackBerry into the token generating device. Start the software, provide your PIN, and your BlackBerry provides the One Time Password for authentication to your network or secret bank account.

Remember my security slogan: people don't think about security until they actively hate security. But people love their BlackBerrys, and never put them down. Users may lose their USB keyfobs and SmartCards and laptops with authentication software, but they rarely lose their BlackBerry.

Software tokens save money. Lose a physical token and you need to replace it. CRYPTOcard and others just let you reassign a token and e-mail it to the user's BlackBerry. You can sync to your PC and get the file, but what fun is that? E-mail the software, let the user click one button to install the software, and that user now has the token generating software on their BlackBerry.

Different restrictions apply depending on the vendor. CRYPTOcard supports BlackBerry models in their 7000 and 8000 series with 1MB of available RAM and software version 4.0 or greater. RSA requires less RAM and supports older BlackBerry software, but they only support Windows back end devices while CRYPTOcard supports Linux and Macintosh along with Windows.

This gives you one more reason to install serious encryption on your BlackBerry or other "smart" device. If you do lose your BlackBerry, you don't want anyone stumbling across your token generating application. Worse, if your BlackBerry is stolen for the data (it happens) you certainly don't want someone to access your authentication software. When you put all your eggs in one basket, really watch that basket.

ITworld.com