Tuesday, July 27, 2010

What's Needed to Improve Strong Authentication

New Authentication Guidance Coming?

Out-of-band authentication - This method sends the additional authentication factor to the user via a different channel from the one he or she is using to access the bank site. For example, a one-time password sent via text message to the user's mobile phone when logging in with a web browser on a PC. The user has to enter the correct OTP within a short time window (usually a few minutes) in order to initiate the session. This authentication helps against man-in-the-middle attacks.

Out-of-band transaction verification - This sends a verification request to the user in the same way as out-of-band authentication, so that the user is required to review and authorize a high-risk transaction that takes place within an online banking session before the transaction is allowed to proceed. This authentication method helps against MITM and man-in-the-browser attacks.

Device identification - This authentication method uniquely identifies the software and hardware being used to access the online banking session. The device, in effect, becomes an authentication factor. This method helps against manipulation of this information by fraudsters such as spoofing IP addresses or deleting cookies.

Mutual authentication - This method is used in addition to authenticating the user to the site, authenticating the site to the user. The most prevalent way of doing this is with Extended Validation SSL certificates. EV/SSL causes the address bar in the browser to turn green when he or she is on the bank's actual website. Other methods include displaying electronic seals on the server and displaying of a user-selected icon in the browser when the user is accessing the genuine bank server. This method helps against phishing, DNS cache poisoning, and other re-direct attacks.

Transaction monitoring - This is not strictly an authentication tool, but monitoring online sessions for high-risk activity such as known trojan behaviors, both at initiation and while the session is in progress, is a very strong complement to these other various authentication techniques described here. Flagged activities have to be acted upon in real time - examples of appropriate responses include sending an alert to the user or an out-of-band transaction verification as described above, blocking access to the online account, or blocking the bank account. Helps against all types of fraud attacks.

Browser-based controls - Institutions can use client-side tools that lock down the user's web browser against malware infection and exposure of sensitive data. This approach helps against a wide array of online fraud attacks, particularly MITM and MITB.

While none of these techniques is completely "airtight" on its own, each one has its own strengths and weaknesses. When used together, they form a solid defense-in-depth approach to protecting the institution's "electronic front door".

No comments: