Two factor authentication (2FA) is the only way forward for security-savvy businesses, as standard username and password combinations are now dangerously insecure. Computing Security reviews the new SecurEnvoy Version 8: SecurAccess impressed us with its superb range of 2FA features, which will undoubtedly appeal to the next generation of smartphone users.
As a long-term player in this market, SecurEnvoy has pioneered tokenless 2FA authentication, as its SecurAccess solution uses personal devices for passcode delivery, instead of easily lost hardware tokens.
SecurAccess 8 has a clear focus on the latest mobile devices, including iPhones, iPads and those running Android or Windows. The new Oneswipe Push feature simplifies authentication, as users merely enter their ID, plus PIN, and press the Accept button on their mobile’s notification screen. Even better, it extends Oneswipe Push to the latest wearables. Users with an Apple watch, for example, can simply press the Accept button in the SecurAccess notification display on their watch face.
Soft tokens are supported on all smartphones and SecurEnvoy has an app for that. Unlike other 2FA vendors’ apps, SecurEnvoy provides extra security by using split keys to prevent soft tokens being copied.
These use unique characteristics of the user’s device, such as its CPU serial number, and combines this with a second part received from the server during enrolment. This blocks attacks from malware attempting to access the phone’s encrypted container used to store soft tokens.
SecurEnvoy’s patented preload is another standout feature, which tackles SMS network queue delays by sending users their first passcode as soon as they have registered. When they authenticate, it sends the next one ready for use and each SMS text overwrites the previous one to keep inboxes more manageable.
We found SecurAccess easy to install on a Windows Server 2012 R2 system where we used its intuitive web console to enter our Windows Server AD domain controller, an administrative account and the address of an LDAP server. You can add multiple LDAP domains during this phase and there are no limits on the number supported.
User deployment has been streamlined and is now fully automated. From the administrative interface, we defined the deployment method, assigned it to an existing LDAP group and left it to do the rest.
After a quick test to make sure it was all working, we could search Active Directory for users, enable them and send a one-time code via SMS to the mobile number listed. Deployments to large user bases are handled efficiently and SecurEnvoy advised us that enrolment rates can be as high as 100,000 users per hour.
Oneswipe Push can also be combined with notification services, such as those from Apple and Google. When a user enters their credentials, the SecurAccess server makes a request to the relevant service to push a notification message to them where they simply press accept or deny soft buttons, to gain authenticated access.
SecurEnvoy differentiates itself from the competition, as it does not require the user to select whether they are online and want a push notification or want to manually enter a passcode, if they are offline. Instead, SecurAccess handles both of these scenarios concurrently with the same login process.
It achieves this by first sending the push notification and waiting a predetermined amount of time for the user to respond. If SecurAccess doesn’t receive this response, it then sends a prompt, allowing the end user to manually enter their six digit passcode, thus combining both online push and offline manual entry in one simple login session.
SecurAccess impressed us with its superb range of 2FA features, which will undoubtedly appeal to the next generation of smartphone users. It’s very easy to use, the offline concurrent recovery feature is unique and its pricing structure makes it more affordable than most of the competition.