Some vendors have announced systems that deliver one-time passcodes to mobile phones via the Short Messaging System (SMS). SMS is a store-and-forward messaging system for cell phones. It was clearly not designed with security in mind. There are a number of free SMS spoofing software packages available, including one that runs on a Palm. Since it is trivial to spoof a website and trivial to spoof SMS, it would follow that an SMS-based authentication system would be very vulnerable to a man-in-the-middle attack. WiKID Systems uses certificate chaining to thwart a man-in-the-middle attack. All WiKID communications are asymmetrically encrypted to assure a valid client talks only to a valid server.
The vendors of these systems recognize the lack of security. That is why their mobile offerings don't integrate with their token server infrastructure. They don't even support RADIUS . WiKID evaluated the idea of using SMS but discarded it due to a lack of security.
What happens when a user is out of network? With SMS, it sits on a server until the user's phone is back in coverage. WiKID has developed a challenge-response mechanism that relies on our strong encryption to assure security.
Even if a device is in the network, what is the reliability of the SMS network? According to a recent study by Keynote Systems, an average of 94.7 SMS messages arrive at their destination in an average of 11.8 seconds. So, on average, if you have 100,000 users you will lose 5,300 passcodes. Additionally, on one network, the highest loss was 9.9% or 9,900 lost passcodes and the slowest time was 24.6 seconds.