Date 12.10.

2009 Page 1
Title: SMS 2-factor authentification
with One Time Code (OTC)
Harald Wiik Stene on 05.10 at 08:44
Category: How tos
Sub Categroy: Swivel secure
Priority: High Normal Low
Access: Canada IT
Chile IT
Norway IT
UK IT
Cermaq IT
ISC
IT Management Team
Public
Additional readers:
Last update: Harald Wiik Stene/HQ/Cermaq / 05.10.2009
Information:
SMS 2-factor authentification with One Time Code (OTC)
The 2-factor authentification is used to get access to the Cermaq network when connected
outside of the office.
This is a substitute for the current VPN connection that we have today.
This solution is not using certificates and is more flexible according use of computer.
This solution don't require any special configuration of the network.
Users that can use this solution have to have a mobile phone number registered in Cermaq
Address book and a account in AD (normal user account in the Cermaq network).
For External users, IT have to add the mobile number when adding the user.
A PIN will be sent to all users that is enabled with this service.
Introduction to the Pinsafe application:
PINsafe provides a number of interfaces that can be used to communicate with the OTC.
The interface provides the user with a mechanism for translating their PIN into an OTC,
which is then communicated to the PINsafe server with their username and password.
In the Dual Channel environment the security string is sent to a mobile device as an SMS
message. The OTC is visually extracted. Throughout the process the security string and OTC
are never transmitted over the same network and the security strings are only sent to
pre-registered devices.
The Mobile 2 Factor (M2F) applications connected to the PINSafe Server are the Swivlet and
the SMS application.
The SMS application works on all GSM phones and is a fast, simple way to reach the highest
level of security with the lowest effort for the end-user.
PIN code :
All users that is enabled with this service will receive a PIN on the mobile. It's important that
the user remember this PIN to be able to use this service.
We use a 4-digit PIN for this service.
Date 12.10.2009 Page 2
OTC code :
OTC (One Time Code) is the code use to connect to the network service at Cermaq.
This OTC can be used for authentication, and as soon as it has been used on the server, a new
text message with a new Security String is sent to the user.
How it works ?
After the user is registrated with a username and phone number on the Pinsafe server, the
user recieves a text message with a security string.
With this security string the user can extract the One Time Code (OTC).
Example:
The following example shows how Lisa logs in to a secure site to read her account status.
Preconditions:
- The user "Lisa" is registered on cermaq.com with username "Lisa" and PIN "6239"
- The Pinsafe server has sent out the first security string in a text message (SMS)
Authentification procedure:
Lisa uses her web browser to access the Cermaq login page where she is requested to enter
her username, password and One-Time Code.
Action: Lisa enter the username and password and then open the text message she received
from the Pinsafe server.
She retrieves her One Time Code (OTC) digit-by-digit as shown in the picture above. Her
PIN starts with number 6. The sixth entry in the Security String (in the text message) is the
number 5. This becomes the first digit in the OTC. Lisa does the same with the three
remaining digits and the OTC turns out to be 5931.
Lisa enters 5931 on the login page and presses submit.
If the username, password and OTC is correct, the Web browser redirects Lisa to the Cermaq
server.
If the username and password is correct but the OTC is incorrect, then a new sercuritycode
will be sent to the mobile phone.
Maximum number of Login tries:
There is a limit on the number of allowed login tries, if the limit is reached the user will bet
an SMS with information that the account is locked.
Date 12.10.2009 Page 3
If this happens, it will not be possible to login until the account has been unlocked. The
Administrator of the system can unlock the account.
Troubleshooting:
I have lost my Security String SMS, what do I do to get a new one?
Simply try to authenticate with the Swivel Server with any OTC. The server will notify you
that you were not successful, and immediately send you a new Security String in an SMS. If
you start getting messages with Security Strings, this might mean that someone is trying to
login with your user credentials. Please contact your support in this case.
Attachment (s):