Two Factor Authentication Using Mobile DevicesPublished on 22 Feb 2005
Two-factor authentication is a process designed to add an additional layer of security to online customer authentication / identification, by using two separate factors; something a user knows, and something a user has.
The addition of a non Internet-based channel is required for this second factor validation. Usernames & passwords are no longer sufficient in this day and age of phishing and other fraudulent attacks.
In today’s Newsflash we look at a version of two-factor authentication that is yet to make its way into the US market, and is however reasonably common in other geographies around the world. We believe that it can realistically address the two-factor authentication challenges of ‘token distribution’ and hardware roll-out.
Please continue to forward this to whomever you think would find it of interest. Thank you.
‘Two-Factor Authentication’ using Mobile / Cellular Telephones
The challenges of single-factor authentication:
Simple username & password logins suffer from numerous security threats:
- Software that monitors keystrokes
- Website spoofing
- Guessing (You’ll be surprised how many people have exactly the same username & passwords for all their websites.)
- Authentication theft (Theft of that spreadsheet / PDA where you store all your usernames & passwords.)
- IT employee theft; and many more…
The move to two-factor authentication has been driven by the need to have an alternative channel / device in addition to the normal login procedure or for specific functionality such as making funds transfers or payments. The mathematical probability of a fraudster having access to both ‘factors’ becomes negligible, thus ensuring the protection of your valuable access and identity.
Options currently being explored and tested in the US (in the corporate sector), include token devices (small key-chain hardware USB plug-ins or smartcards) and fingerprint readers (biometric devices).
Both require roll out / distribution of hardware. It is for this reason alone that we do not believe that any significant penetration in the consumer market will be achieved. In order for two-factor authentication to become widespread, Internet Banking providers need to look for simple solutions that utilize resources / hardware / devices that the customer already has.
The most obvious example is that of the consumer’s cellular telephone.
The solution is simple and effective:
- When signing up for Internet Banking, the consumer gives the bank his cellular telephone number. At this stage the customer is verified as being able to receive text messages.
- When wishing to login to Internet Banking and perform certain tasks, the website instantly generates a mobile text message to the customers cellular telephone with a 6/8 digit alphanumeric code. This code is unique to that specific session and cannot be re-used.
- The consumer then enters this code online as the second ‘factor’ of authentication, in addition to their username & password.
This type of two-factor authentication does not require the distribution of any device, token or card to the customer. Research will show that Internet Banking Consumers are predominantly contactable via text message.
Note: According to International Telecommunication Union (ITU), by the middle of 2004 the number of mobile phone subscribers around the globe had reached nearly 1,5 billion – about one quarter of the world’s population. The growth in mobile phone subscribers has now outpaced the growth in the number of fixed line users which totals about 1,9 billion, and is outstripping the rate of increase in Internet users.
Striata offers Banks & Billers a cost-effective, robust & reliable platform to distribute these text messages to all GSM cellular networks in the United States.
Striata recently presented a very successful panel session at the NACHA Council for Electronic Billing and Payment (CEBP) meeting in Annapolis. (Go here for a full look at the presentation.)
Thank you to the CEBP team for this valuable opportunity.