Two-Factor Authentication, Get Used to It

By Sonny Discini

February 01, 2008

Banks, e-commerce concerns and the federal government are clamoring for stronger authentication to combat theft and fraud. One company is all too happy to oblige.

Identity theft, phishing, and online financial fraud are increasingly becoming compelling drivers for deploying strong authentication for consumer and business applications. As financial institutions and e-commerce sites launch new initiatives to shore up consumer confidence in their brands, online banking concerns and even government agencies have begun to recommend identity protection guidelines.

For example, the recent guidance on Authentication in an Internet Banking Environment (FFIEC-AUTH) issued by the Federal Financial Institutions Examination Council (FFIEC), recommends that financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. Specifically, FFIEC-AUTH considers single-factor authentication as the only control mechanism to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.

But how can strong authentication be achieved? To date, organizations have deployed solutions that, at best, only work within their own organizations and business partners.

For instance, have a look at your typical token-based PKI deployment. You receive an e-mail from an agency that is not part of the infrastructure and you decide that you should digitally sign your response. When the recipient receives that response, they have no way to validate it. This has been one of the biggest frustrations with managed PKI infrastructures.

Cost and administrative overhead has also contributed to the frustration and limited success of presently deployed PKI solutions. The complexity involved with managing PKI has forced many organizations to swallow a huge expense by outsourcing the management component to the vendor or 3rd party service provider.

Verisign Identity Protection

Current legislation and increasingly Internet-dependent lifestyles now demand a dramatic change in the way we handle strong authentication. Verisign has stepped up to the plate with their current offering that they say mitigates all of the current issues seen with present day strong authentication systems.

Verisign Identity Protection is designed to allow you to take your token to work and use it within the walls of your organization and then take that same token and use it to login to your personal bank or any personal service that requires strong authentication.

How does this work? Your organization deploys the service and pays for the cost of your token. You, as the user, take the token and use it during the course of your work duties. When you arrive home, you login to your bank using the token issued by your employer. Your bank kicks back a fee to your organization when you use the token. This approach makes the cost burden for the token issuer to be significantly less while also expanding the usability of the token.

Verisign has also added silent fraud and identity theft protection into this solution. This allows a business to issue and/or accept multiple credentials from each user. The solution takes a self-learning approach to fraud detection, adapting to customer usage habits unique to that individual.

Using policies and pattern recognition technology, the service flags potentially fraudulent activities based on known types of fraud and behaviors not associated with the user. Because the service is self-learning, it can adapt to changing criminal behavior without manual intervention. This non-intrusive approach does not require any change to a Web site and remains invisible to the consumer until fraud is detected.

The token itself looks very similar to a credit card so it can easily be carried around. It also has OTP functionality on-board. Rumor has it that we may even see the ability to store certificates on the token in future revisions.

But what happens if you leave your organization?

Verisign says that you can take the token with you and your employer will have a way of transferring the token out of their system. If your new employer has VIP (Verisign Identity Protection) then they can add your token to their account.

But will this service catch on? So far Charles Schwab has signed on with other major banks and ISPs rumored to be in the pipeline. Verisign has undoubtedly taken a mighty swing at most of the stumbling blocks that make strong authentication unappealing to organizations.

Hopefully organizations and individuals will be savvy enough to comprehend the benefits associated with this new approach to a looming problem.

This article was first published on EnterpriseITPlanet.com.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.