Phone Authentication: A Good Call?
IN RECENT YEARS, many companies have added second authentication methods to online transactions. The second factor may involve hardware tokens or cards that produce random access numbers, but one choice—the telephone—is viewed as user-friendly because everyone already has one.
Phone authentication also seems to be getting cheaper and easier to implement. A solution called PhoneFactor was introduced earlier this year by PositiveNetworks, of Overland Park, Kansas. It’s one of the first Web-based phone solutions, which means that customers don’t have to download and configure software. The basic service is free, but medium- and large-sized businesses may want to opt for one or more of the product’s additional fee-based modules.
For Columbus-based OhioHealth, the decision to use PhoneFactor was mainly about convenience. The organization, consisting of 15 hospitals, had supplied thousands of its physicians and nurses with hardware tokens that generated random access codes.
In 2005, state law began requiring that doctors use two factors when writing prescriptions from an off-site computer. Tokens were distributed so that medical workers could write prescriptions remotely online, rather than rushing to the hospital when a patient urgently needed a prescription. But when doctors would get a call or a page about a patient in the middle of the night, “the tokens were nowhere to be found,” says Michael Krouse, chief information officer.
To help address this problem, the organization began rolling out PhoneFactor in November 2007. The way it works is that after an employee receives a call or a page, he or she can remotely sign into the hospital system with a user name and password. That prompts the system to call the healthcare worker’s phone. The worker answers and presses an assigned number on the keypad to verify that he or she is the designated person.
Sign-up for the system merely required filling-in several online forms, says Krouse. Physicians were each asked to provide several pieces of information, including a title, Social Security number, and phone number, which IT staff entered into a database.
The key strength of phone authentication, or of a token, is that it produces “out of band” security. “A hacker would need to also have the doctor’s phone,” says Mark Diodati, a Burton Group senior analyst.
OhioHealth uses several of PhoneFactor’s fee-based add-ons. One increases security (providing options that include the use of a PIN or a pass phrase); another lets the company install the software on multiple servers and synchronize data across numerous locations.
Even with the modules, the solution is still considerably cheaper than the tokens. The latter costs OhioHealth about $300,000 per month for approximately 4,000 deployments. PhoneFactor costs $34,000 a month for 2,500 users.