Thursday, August 16, 2018
Two-factor authentication via SMS increases the security of each login. Unlike conventional systems, no additional devices, scratch lists or cards are required. The two-factor authentication makes possible a highly secure and tamper-free identification.
Imagine an online access that has to be specially well protected: for example, the Payment Portal of a bank. Ideally, one uses a password and user name as "low-level" identification. This represents the first level of security The second step is often carried out by a scratch list or even a number generator in form of a small device.
ASPSMS can be used for the second level: The customer receives a mobile transaction number (mTAN, OTP, Token, etc.) sent to his mobile phone by the payment portal. If the SMS-code is entered correctly when logging in, the person is identified as the authorized user. No additional equipment, cratch lists or cards are needed.
Use ASPSMS as SMS Provider for existing Systems
If ASPSMS is only used to send the SMS-code (OTP, mTAN, token, etc.), the program logic for generating, temporary storage and final verification is completely on the side of the system to be protected. This approach is unproblematic and is used by many ASPSMS clients. In particular, if a two-factor logic already exists on the side of the system to be protected.
ASPSMS can be used via SOAP web service very easily for Microsoft ASP.NET Identity projecets.
More security through the use of ASPTOKEN
When using ASPTOKEN, parts of the necessary application logic are outsourced to ASPSMS. The crucial security advantage is, that any system manipulations for unauthorized intrusion are much more difficult because the SMS-codes are not stored anywhere within the system to be protected.
When usinig ASPTOKEN, the SMS-codes are instead generated by ASPSMS, stored at ASPSMS and finally verified by ASPSMS. ASPSMS again has no knowledge of the security procedures on the side of the protected system.
This kind of "partitioning" makes sense in terms of security in any case, since the confidential information is no longer stored in a single location. Instead, only individual, relatively uncritical parts are available at each involved system.