tower-group-pushes-two-factor-authentication-for

Posted by:

admin 15 years, 3 months ago

Clearly, we need to do a better job of promoting WiKID.

The Tower Group just issued new research titled: ONLINE BANKING REQUIRES STRONGER AUTHENTICATION METHODS TO COMBAT MORE ADVANCED FORMS OF FRAUD

Highlights of the research include:
Many desktop computers are highly-vulnerable to attacks from malicious software, which can be downloaded to a PC without the consumer's knowledge. Using these 'malware' payloads, fraudsters can gain access to personal information through a variety of methods - from logging an individual's keystrokes on the computer when they sign in to their online banking site, to remotely taking control of the user's entire PC.
"Single-factor" authentication, typically a username plus password, remains the most widespread approach for accessing online banking sites. While easy to use and administer, it cannot combat more advanced forms of fraud. As usernames and passwords become the weak link, the traditional single-factor approach will become an entirely deficient means of online banking authentication.
"Two-factor" authentication offers a vast improvement in security. One example involves providing consumers with a hardware "token" that generates a random number to be entered along with his or her password. However, most large consumer banks have been fearful that convenience-oriented consumers will reject the additional burden of physical tokens, or will be overwhelmed by devices from multiple institutions.

WiKID solves many of the issues with standard hardware tokens. First, convenience. WiKID runs on the PC (or a wireless device making it easy to cut-and-paste the one-time passcodes. The client can be protected in a PKS12 store for security. Still, because the PIN is stored on the server, stealing the private key is no different than stealing an ATM card - you don't have enough. As a convenience to the administrator, we can automate the initial validation process.

Further, WiKID running on the PC is capable of validating the SSL certificate of the targeted website before getting the one-time passcode. This elimates man-in-the-middle attacks such as DNS-cache poisoning.

WiKID also solves the problem of multiple "devices from multiple institutions". Because we use public key cryptography, a single WiKID client can support multiple WiKID servers across multiple enterprises. Instead of having multiple key fobs, you would have one WiKID client with multiple public keys! (In addition, you can have multiple WiKID client assigned to a single username, so you can have one client running on your Windows, Mac, Linux desktop and another on your Blackberry.

If more people had WiKID clients, then more financial institutions would be interested in securing their online banking systems with WiKID. Yet, people don't need a WiKID client unless they have something to log into using two-factor authentication! Classic chicken and egg. We're planning on doing something about this soon. Keep an eye here.

• Tags:
• Strong Authentication,
• Information Security

• ← Can the WiKID Server and/or Token be embedded?
• determining-an-appropriate-cost-of-capital-for-an →