Swivel can use Short Messaging Service (SMS) Text message to send users a One Time Code (OTC) for authentication, using the mobile phone as a device for two factor authentication. Swivel supports the following:
- SMS sent in Advance
- SMS sent on Demand
As an alternative to SMS text messaging see [[Mobile Phone Client]]. For alternative authentication see [[Authentication Methods]].
SMS sent in Advance¶
When the user account is created the user is sent their first One Time Code. This helps to overcome network delivery issues as the user has an OTC on their mobile phone ready for authentication. If a user passes or fails an authentication, then they are sent their next OTC. If the message is deleted, the user can request a new text message.
This method also allows multiple OTC’s to be sent in a single text message, see [[Mobile Security String Index]]
SMS sent on Demand or Request¶
When the user is making an authentication the user requests an SMS text message to be sent to them. The user then has a limited time to login using the OTC within the Text Message. This is [[On Demand Authentication]] and the length of time that the SMS is valid for is configurable, with a default of two minutes. The text message is usually requested by the following methods:
- Button on the login page
- [[Challenge and Response How to Guide | Challenge and response]], where user enters a username and Password
- [[Taskbar How to Guide | Taskbar utility]]
Some SMS gateways support the use of Flash SMS, which appears on the screen immediately upon arrival and unless it is saved, it is deleted. Flash SMS is usually used for On Demand authentication.
Integrating with SMS¶
Integrating the login¶
Integration of login portals is usually straight forward with SMS, although if TURing and Pinpad images are used, then these should not be automatically generated as a login will be expected using those methods. When using Challenge and response with RADIUS, then no changes to the login page may be required.
Sending SMS messages¶
SMS messages are usually sent through an SMS Gateway, although it is possible to use a GSM Modem.
SMS may be vulnerable to the below attacks. To overcome these PINsafe Protocol may be used to protect the OTC.
- SMS Forwarding, particularly on Smart Phones
- Physical theft of the phone
- SIM cloning
- SMS eavesdropping
- Shoulder surfing