Signify makes Android phones two-factor authentication devices

SECURITY VENDOR Signify has developed a way to turn Android phones into two-factor authentication devices that can be used as an alternative to traditional passwords.

The method works by using secure token-based authentication for frequent users, along with tokenless Passcode On Demand, which sends one-time passcodes by email or SMS when requested. Users can choose if they want token-based or tokenless security.

The service is hosted on Signify's cloud servers, so users don't need to install anything to avail themselves of it. All they need is their Android smartphone.

Two-factor authentication works by requiring users to have two elements to identify them as the appropriate person to access an account, compared to the traditional one-factor method of simply entering a password.

Signify employs a smartphone app that generates a one-time passcode after a user enters their PIN. This passcode is then entered on their computer to access an account. If someone has the user's PIN code it's useless without also possessing the smartphone, and likewise if someone steals someone else's phone, it's useless without the PIN code.

This is a particularly important area of security that is used by some banks, which send account holders a device that requires them to enter their ATM card number to get a unique code for use in online banking. This goes a long way towards fending off hackers, who might be able to get access to passwords or PINs but need to physically have the authentication device to get anywhere with them.

The ability to use your smartphone for this, instead of buying separate security devices, means that two-factor authentication could become a lot more common, particularly with the recent spate of hacking attacks on various web sites and networks across the world.

It could also mean that smartphones might be seen as a lot more valuable by criminals, who might try to sell stolen ones that feature Signify's app on the black market.

However, access can be remotely revoked, such as when someone is sacked from a company that uses the technology, so this could potentially be used for stolen phones. The thieves would also need to discover the PIN, so the difficulty involved makes it unlikely that most will go to the trouble.

The move is the latest in Signify's Software Token service, which already allows devices running Research In Motion's Blackberry or Apple's IOS operating systems to be used for two-factor authentication. µ