The ”new” 2-factor authentication product SMSPasscode

Yesterday I had my first-hand experience with a product I have heard a lot about but never seen. The product is called SMSPasscode and is a direct competitor to products like Safeword and RSA. SMSPasscode provides 2-factor authentication, but moves the ‘object you have to have’ inside one of our most common items, the cell phone. I have to be honest I was very skeptical but after my experience with SMSPasscode I do believe many customers would benefit from a solution like this.

Product outlineThe product consists of an engine, transmitters and modems. The engine tags the usernames to the predefined cell phone number for the user, and the transmitters and modems sends out the SMS-Text message.

The logon process with Citrix WI and AG

You connect to your Citrix Access Gateway as we all know it. There is no changes made to the Access Gateway as it is done in this example I setup "Forwarding of credentials" from the Access Gateway to the Citrix Web interface.
So I log in on my Access Gateway logon-point.

As I type in my username and password and hit ‘Login’ I am transferred to the Web interface-server and my username and password is forwarded from the Access Gateway. I am now prompted for a new pass code. This pass code is not in my possession but as soon as the SMSPasscode service detected my logon an SMS with my pass code was dispatched and arrives within a few seconds as a Flash-SMS on my cell phone. Whether you want a Flash-SMS or not is optional and can be configured from the web administration console.

As my cell phone lights up I type in the pass code and is forwarded to my accessible Citrix Applications.

The product seems very reliable, and easy to administrate when put into production and the great thing is that this product can coexist with Safeword or RSA and you are able to provide differentiated methods for 2-factor authentication, maybe you have external partners and want them to only log on once or twice, this is easily done with SMSPasscode as you can simply add a user and join it with a phone number in the administration interface and the user is able to log on, without having to dispatch a physical token to the partner or customer.

SMSPasscode is running on its third year and the product has matured nicely. Within a few months a new release will be out a version 2.0, to mention a few of the new features:
- Radius Server
- ISAPI
- LDAP

The new features will be welcomed and in particular I am looking forward to the radius option to see how well the integration will be directly on the Citrix Access Gateways. But all this will come hopefully within a month, and I will be sure to write a post about the version 2.0 release as soon as I get my hands on it.

Where do I see SMSPasscode integration in the near future

My personal belief is that this technology could actually mean the beginning of something great as I can imagine public institutions using this technology to provide 2-factor authentication when we are doing our taxes online, shopping for pizza or even when trusted users log in to the most confidential parts of our ERP, CRM or what have we. The technology is suddenly opening the door as we can now remove the logistics tied in with delivering a physical token to customers, partners or employees.

My impression so far

As it has might shown through this post I am very excited about this new product and the possibilities. The features to support a Citrix Access infrastructure is in place and works very well and the next exciting step for me will be when we get the extended integration in form of ISAPI, LDAP and Radius.

I will deliver an update on SMSPasscode as soon I have had a chance to work more with the version 2.0. If you want more information you are welcome to contact me or take a look around www.smspasscode.dk they have a good site with lots of good information, screenshots and testimonials from their many large Danish customers.

/Rene Vester