Microsoft buys authentication firm PhoneFactor

PhoneFactor was founded in 2001 by Tim Sutton and Steve Dispensa, both ex-Sprint people. It sells a range of phone-based multi-factor or out-of-band authentication products. The purpose is to make access require more than just a user-name and password. With usernames usually being an email address, and passwords usually being re-used across multiple different accounts with millions upon millions of passwords being compromised by hackers every month, the traditional method of access is simply no longer enough.

PhoneFactor’s solution is to allow a server to communicate a one-time additional code with the user’s mobile phone at the time of access. User authentication thus becomes multi-factor: username and password (which could have been compromised) plus a one-time code delivered out-of-band by phone (that is, not via the same channel as the browser/website log on process – and one that cannot have been compromised). The security of access is many times more secure.

“In my experience,” PandaLabs’ technical director Luis Corrons told Infosecurity, “it is much more effective to use multiple devices to authenticate. It is true that there is no bullet-proof system, but still it is much more complicated for cybercriminals to compromise both devices. Look at the finance industry,” he added; “most of them are using multiple factor authentication with a second device.”

“Microsoft’s acquisition of PhoneFactor is a clear signal that mobile-based multi-factor authentication (MFA) is the way forward for strong authentication that is both convenient and scalable,” Alan Goode, founder and MD of mobile security specialists Goode Intelligence told Infosecurity. “Passwords are not good enough to secure our digital identities. Microsoft knows this and this is a major reason for why they have acquired PhoneFactor.”

Companies like PhoneFactor and UK-based SecurEnvoy have both been at the vanguard of basing MFA solutions around the mobile phone, he added. “Mobile phone MFA enables users to benefit from the flexibility of using a device they already own to greatly improve the security of the services that they are accessing. Microsoft is joining other technology vendors and cloud-based service providers, such as Google, in embracing this technology. This acquisition will help propel mobile MFA into mainstream use.”

Announcing the new acquisition, Bharat Shah, corporate vice president of Microsoft’s server and tools division said that for MFA “to be effective it must also be convenient.  PhoneFactor is popular because its solutions interoperate well with Active Directory so users don’t have to learn new passwords and IT administrators and application developers can use infrastructure and services they already know.”

Tim Sutton added that phones provide “the ideal platform:  easy to use for the masses at scale, yet also capable of supporting enterprise-scale implementation of multi-factor authentication. So, we built authentication solutions that integrated exceptionally well with enterprise platforms like those provided by Microsoft.”

The purchase was made by the server division and not Windows phone division. The market is not individual phone users, but corporations that need remote log-on to their servers, whether that’s internet access to an e-commerce site, or remote staff access to the company’s network. The phone is merely the channel that provides additional security to that access.

What’s Hot on Infosecurity Magazine?