Two factor (SMS) authentication — done right with SMSPassword!

I have always been a fan of two factor authentication, or 2FA in short. Almost all companies and customers I have worked for and with used it in some shape or form. Especially SMS based 2FA — from an administrative perspective it is easy to set up, configure and maintain (if it isn’t you might want to consider switching vendors) and next to that it is also extremely user friendly and secure, when properly implemented that is. And of course, there is no need for any additional (expensive) third party tokens.

According to Dennis Smith — owner and founder of SMSPassword, and I quote:

Everything can be hacked, including your cell-phone. SMS messages can be intercepted and your phone could be stolen, however, the fact remains that ‘they’ will have to hack or compromise two separate networks — that of your phone / SMS provider and your companies / customer’s domain. They will need to have your (domain) password (which changes every three weeks, right?) and your so-called one-time password (which will have a limited TTL) both at the same time.

I would agree, SMS based 2FA isn’t going anywhere any time soon. Do we perhaps need a smarter, cheaper, more secure and flexible approach? Yes, and this is exactly where SMSPassword steps in.

How is SMSPassword different?

First of all, it integrates seamlessly within your existing infrastructure. It will leverage Active Directory without the need for any Schema changes or additional user attributes etc. This also means that there is no need for a separate database, Active Directory will take care of that. And since AD is redundant by nature (a distributed model) you have HA taken care of as well — that’s your database covered, no extra machines and/or licenses needed.

• SMSPassword will be deployed a 100% on-site / on-premises, meaning that you as a company, or as the Administrator will have full control — which is important to a lot of customers.
• The installation comes as a portable .exe file, only a few MB’s in size. It is extremely lightweight and as such can be easily installed / integrated with your existing Citrix StoreFront servers, for example. Also, you won’t have to install and configure any additional Windows roles whatsoever, further smoothening the process.
• Furthermore, it is officially supported by all major vendors out there, basically every third party RADIUS client / load balancer you can think of: Citrix NetScaler, Palo Alto networks, F5, Juniper Networks, Barracuda Networks, Check Point, Cisco, VMware, SharePoint and more.
• Since it is SMS based two factor we are talking about, it will work flawlessly with every phone out there, and it doesn’t have to be a smartphone, as long as it supports SMS you’re fine. You don’t need an App, period. No third party (expensive) tokens to keep an eye on, just use what you already have — your own phone.
• Better yet, even if you have no GPS signal / coverage SMSPassword will have your back. They have developed so-called time-based tokens that work in conjunction with a downloadable App, currently available for iOS and Android (smart) phones. But I can already tell you that a Windows Phone app is on the roadmap, to be announced and released shortly.
• Also, you are free to choose and use your own SMS data plans, SMSPassword will work with any of them, again, very flexible. Do you want to use an external SMS service? Go right ahead. Next to that they have developed their own secure and modernized, custom-made SMS dispatchers, no serial cables etc.

From a infrastructural point of view

While you can set up SMSPassword in a single setup, see the image below, it has been designed with redundancy in mind (think back to the AD example earlier, for example). You can scale up to as many SMSPassword servers and SMS dispatch modems as needed, the load balancer in front of it will take care of the rest.

Single node setup

Redundant setup

According to SMSPassword:

The redundant setup works the same as the minimal setup, however, to guarantee uptime some changes are made. First of all, in this setup we use more than one server as a SMSPassword server. In this example we use two SMSPassword servers, but in theory this can be any number. Three, four as much as you need. In the load balancing device, a virtual server is created. In our example we use a NetScaler as load balancer, but other load balancers are also supported. In the load balancer you also configure a monitor, to see if the nodes are working and responding properly. The load balancer will send a heart-beat check to every node. If, for example the network to one of the nodes is down, or if the SMSPassword service is stopped, or if the server is being rebooted, the node will not respond to the heart-beat. The load balancer will skip this node, and will resume normal operation using any of the other available nodes. As soon as the ‘failed’ node becomes available, the load balancer will start using that node again. The manual (s) of SMSPassword contain detailed descriptions on how to configure a load balanced setup.

And of course redundant also means an additional SMS dispatcher, see below.

Licensing and pricing

Have a look at their pricing schedule, you will be amazed by how much less it will cost you when compared to some of their direct competitors.

From their website “SMSPassword offers a risk free implementation track; In order to make sure SMSPassword works in your environment, please request a trial. You can test with two users to see if and how it works in your environment. We recommend everybody to do this before purchasing, to make sure everything works in harmony with your environment. Load balancing, complex scenario’s, they are all testable with the trial version

As far as licenses go, you will receive life-time licenses, which will be part of a flexible license pool. Meaning that if user A leaves the company, and a new employee will take his or her place, then he or she will be able to take over the SMSPassword license of user A.

To conclude

If there is anything you else you would like to know, please make sure to contact SMSPassword directly through their website, they will be more than happy to answer any questions you might have or to assist you in any other way or form.

Contact details

• General website: http://smspassword.com
• Contact form: http://smspassword.com/contact/
• Trial request: http://smspassword.com/download-trial/

Bas van Kaam

Field CTO EMEA by day, author by night @ Nerdio

Father of three, EMEA Field CTO @ Nerdio, Author of the book Van de Basis tot aan Meester in de Cloud, Co-author of the book Project Byte-Sized and Yuthor of the book: Inside Citrix – The FlexCast Management Architecture, over 500 blog posts and multiple (ultimate) cheat sheets/e-books. Public speaker, sport enthusiast­­­­­­­­: above-average runner, 3 x burpee-mile finisher and a former semiprofessional snooker player. IT community participant and initiator of the AVD User group Community world wide.