Forget about those highly vulnerable usernames and passwords. Authentify has just announced a new primary authentication method that is built upon a complete digital certificate PKI underpinning, but neither the enterprise nor the end user sees any of the complexity of the solution.
Every time I log on to a financial services or e-commerce website I get nervous as hell. My hands hesitate over the keyboard when it comes time to enter my site password. There’s always a set of nagging questions in the back of my mind: Will my account credentials be compromised in some way? Will they be leaked, or stolen? Will someone use my account logon information to rob me blind?
Plain old passwords as a primary means of authentication represent a tremendous vulnerability. They are too easy to guess, steal and crack, especially in this era of persistent attacks against enterprise systems. For evidence, look no further than the recent password breaches at Living Social, Twitter, LinkedIn, Facebook and Evernote.
Many companies have started using a second factor of authentication to supplement traditional password use. This can be as simple as something that you know, such as a challenge response question (“What is your mother’s maiden name?”) or more complicated, as in something you have, like a smart card or physical token. Some financial services companies have taken to issuing tokens to commercial account users that regularly access high value accounts online.
Secondary out of band authentication methods have been available for more than a decade. Say you want to confirm a transaction, such as a money transfer via online banking. The bank can send you a confirmation code via telephone or text message that you then enter into a web form to confirm your transaction. Or, you could get a code displayed on the screen that you have to speak or key into a phone. These secondary authenticators complement username and password to verify that someone is authorized to complete the transaction or other type of activity.
Authentify has been a leading player in the out of band authentication space for some time, and now the company is advancing secure primary authentication by an order of magnitude. The new solution, Authentify xFA, is built upon a complete digital certificate PKI underpinning and voice biometrics, but neither the enterprise nor the end user sees any of the complexity of the solution.
Digital certificates have long been regarded as potentially the strongest way to authenticate someone in possession of a certificate and all the information contained therein. However, half the battle with PKI has always been distributing, managing, activating and revoking the certificates. Authentify removes that complexity by managing the PKI deployment and all the credentials on behalf of the enterprise and its users; for example, for a bank and its online banking customers, an e-commerce site and consumers, or a business and its remote employees.
The Authentify xFA solution is made possible through the power of smartphones, which really are full-function computers with onboard processing, storage, camera and microphone along with voice and data channels. In the “something you have” category, a smartphone offers many options to serve as authentication factors.
The simplest way to explain how the solution works is with an example. Let’s consider the case of a bank and its retail customers (i.e., consumers). The bank wants to establish a high level of trust with the people using online banking to access their accounts. In this example, the bank is our “enterprise” and the consumers are our “end users.” The other party to the xFA solution is Authentify. All three parties in this relationship work together to establish secure authentication.
The process starts with the bank engaging with Authentify for the xFA Service. Authentify is going to provide secure storage for the bank’s customers’ credentials as well as verification of those credentials.
The bank directs online banking customers to go to an app store to download the xFA application to their smartphone. The first time a user opens the xFA app, he must create a single password and a voice biometric which is stored “server side” at the Authentify xFA service.
Next the user returns to the bank’s website, authenticates himself in the way the bank requires (such as an account number or username and password or whatever the bank is comfortable with) and when that step is completed to the bank’s satisfaction, the xFA enrollment link is presented. This initiates the process of the bank retrieving a unique cryptographic “A-code” (similar to a QR code) from the Authentify xFA Service.
The bank sends this A-code to the user’s PC and the user uses his smartphone to scan the code using a scanner built into the xFA app. Then he is prompted to speak a phrase directed by the app’s visual display. When the user speaks, his voice biometric is compared to his biometric on file and verified. This initiates issuance of a digital certificate unique to that banking relationship and completes the enrollment process that allows the user to authenticate himself to the bank upon subsequent visits to the bank’s website.
Authentify uses a zero trust model with the digital certificates. There are three separate sets of certificates and key pairs:
• One set of certificates and key pairs is shared between Authentify and the xFA app on the user’s device.
• A second set of certificates and key pairs is shared between the enterprise server and Authentify.
• A third set of certificates and key pairs is shared between the user’s app and the enterprise application the user wants to access.
This zero trust model means that a hack at any one level won’t net enough information to actually attack an account, or use the enterprise application, or use the end user’s account.
Back to our example of the online banking application. Once the user has enrolled his xFA app to the bank’s application, logon is a simple process. The user goes to the bank website and clicks on a logon link. That click triggers the retrieval of a short lived A-code cryptograph from the Authentify xFA Service and the bank displays the cryptograph. The user scans the cryptograph, initiating the certificate authentication, and is prompted to speak his passphrase for biometric authentication. The whole process takes a few seconds and doesn’t require the user to type a password at all. Once access is granted, the user can proceed with his banking session.
In situations in which the end user is already using his smartphone for access, or a mobile banking app to access his bank account, Authentify offers a secure second channel from the same device. This single device dual channel workflow can be activated by touching a secure link versus scanning an A-code. Authentify also accounts for lost or stolen smartphones with the ability to remove the certificates and prevent them from being used by an unauthorized person.
Authentify xFA offers solid security strength as well as an easy way for users to wield validated credentials issued in a simple way instead of remembering usernames and passwords for sites and accounts they use.
Linda Musthaler is a Principal Analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.