Appendix

SMS OTP Delivery

PortalGuard uses existing SMTP to SMS gateways to submit an OTP to a pre-enrolled mobile device. PortalGuard uses the provider information supplied by the end user during 2FA enrollment to determine which gateways to use for OTP delivery. The use of these services allows for rapid 2FA deployment with a much lower Total Cost of Ownership(TCO).

PortalGuard delivers Voice OTPs through one of two distinct methods: a Hosted Text-to-Speech service, or by leveraging the SIP protocol.

Hosted Text-to-Speech

PortalGuard connects with a third-party service provider (not included with the PortalGuard purchase), and converts a customer-created template containing the OTP into a .WAV file. The third-party service provider then calls the end-user directly and plays the .WAV file once the line is picked up. The end-user is then able to record that OTP into the required login field for authentication.

SIP Protocol

Session Initiation Protocol (SIP) is a standards-based, widely implemented protocol used for controlling communication sessions (such as voice calls) over Internet Protocol (IP).

PortalGuard supports the use of SIP to use an existing phone infrastructure to deliver a voice OTP to the end-user. When using SIP, PortalGuard does the conversion of the text into a .WAV file by means of an integrated Text-to-Speech API. PortalGuard then connects to the existing SIP gateway, which is used to dial the end-user'ss phone number and play the .WAV file. The end-user is then able to record that OTP into the required login field for authentication.

PassiveKey is a transparent, client-side browser plug-in that provides multifactor authentication by validating both the end-user and the device being used – effectively eliminating the need for the end-user to carry around an additional token, or install a mobile application.

Once enrolled, PassiveKey automatically generates a Time-based One-time Password (TOTP) on a configurable interval, which is then set as a session-based cookie. The cookie is encrypted using Public-key Cryptography to ensure that only the PortalGuard server can decrypt it – effectively eliminating Man-in-the-Middle Attacks.

If the end-user's security policy requires a valid OTP for 2FA, PassiveKey submits the TOTP behind the scenes, and suppresses the visual prompt that an end-user would typically see. The required client-side software is unobtrusive and enables PassiveKey to provide a unique blend of both security and usability.

For more information, download our PassiveKey® TechBrief.