With millions of passwords routinely stolen via data breaches, coupled with high administrative costs for replacing them when lost or forgotten as well as lost productivity, the password’s time as a primary authentication credential is fast getting over.
The security value of the password has eroded over time due to frequent breaches. Lengthening and strengthening passwords in the mobile environment erodes the user experience. For example, entering a random string of alphanumeric numbers and characters into a mobile keypad is difficult and frustrating.
Passwords began some 30 years back when mainframes first came into the market. With mobility in demand, it is time for something else to evolve which more secure, yet something easier to use.
Mobility and BYOD: security enablers, not threats
Many business cycles have been spent wrestling with the potential vulnerabilities of mobility and BYOD (bring your own device). The newest generations of mobile devices, however, offer considerable promise for strengthening security. Mobile solutions are currently available that offer ‘no typing’ logins using biometrics and cryptographically strong digital certificates for authentication.
This removes the vulnerability of password databases, and means that users do not need to input eight character strings. The end user initiates a login by scanning a custom QR code. A variation permits step-up authentication or out-of-channel transaction verification when higher value transactions need extra security.
If multiple levels of authentication are required repeatedly during typical online banking or e-commerce transactions, this can potentially impact the user experience. Compounding the challenge, what happens to the customer experience when multiple banks deploy different authentication approaches?
Anecdotal evidence suggests that if authentication approaches become too complex, consumers begin to work around the security measures that organisations put in place. Have you experienced users who employ the ‘rest your password’ process each time they login?
The Software-as-a-Service (SaaS) model of mobile authentication services reduces the implementation effort associated with PKI (public key infrastructure) or biometric technologies. The global app stores allow users to self-provision a PKI digital certificate – a process that was not possible several years ago. The SaaS model also maintains account protection when the user’s device is lost or stolen.
The additional benefits to PKI digital certificate based authentication is assured mutual authentication. Customers can trust a message they receive from an app that is authenticated using self-provisioned digital certificates. The customer knows it is not a phishing attempt and will be more willing to take advantage of an offer delivered via this channel.
A streamlined user experience Authentify
xFA provides a streamlined user experience that reduces the cost and complexity of multi-factor authentication. xFA offers all the features mentioned above, plus the ability to incorporate technologies such as FIDO approved fingerprints and facial scans via a single interface. Features include NFC and Bluetooth authentication options to support standard features of smart-phones.
Authentify provides a user centric authentication app; xFA that turns a smart device into a “mobile personal authenticator”. It can be used anywhere instead of passwords, tokens or smart cards. The x stands for flexible authentication offering x-factors of authentication, including digital certificates, secure messaging, and voice biometrics out-of-the-box. xFA can help banks & enterprises to capitalize on the promise of mobility while protecting from the dangers.
xFA enable subscribers to wield digital certificates with no deployment effort. It offers a scan and speak interface with biometrics such as fingerprints, voice or face. It has no central password or ID storage. Also, no hardware or software is required as the app works from a secured cloud infrastructure which is managed professionally over 12 years & with no personal Identifiable Information being stored.
A subscriber has a single anonymous xFA account with Authentify, but each enterprise controls the subscriber relationship – protected by separate credentials, (digital certificates and key pairs) – and chooses its own authenticators by policy. Subscriber privacy is this fully maintaining where in the event of compromise of at any interacting point causes no breach of the subscriber identity. The subscriber has convenience of use with no need to remember login ID and passwords while the enterprise has full control over its operations and relationship with the subscriber. This architecture protects both the subscriber and the enterprise from any attacks.
xFA also thwarts the vulnerabilities of OTP by bypassing the dangers lurking on the Internet by going around it to reach the subscriber on an alternate network simultaneously.
Why consider xFA
It’s been a few months since the Heartbleed bug was announced to the world, and we continue to see the lingering effects, both directly involving Heartbleed and OpenSSL security.
Symantec announced a spam campaign making the rounds that claims to provide a tool to eradicate Heartbleed from your computer, but instead downloads malware which appears to give the computer a “clean bill of health,” but in reality, the malware is a keylogger that records everything being typed and takes screen shots from the computer. The malware may be more dangerous to individuals than Heartbleed itself, so employees should be warned not to fall for the spam message at work or on their personal computers. Heartbleed allowed anyone to send malicious packets that would force a vulnerable machine to divulge passwords, cryptographic keys, and other highly sensitive data, the latest attacks can only bypass encryption for a single targeted connection. And they can only be executed by people with some degree of control over the connection. Without doubt, that’s serious, but not the catastrophe visited by Heartbleed.
The vulnerability increases the need for financial institutions to involve account holders in the “backend” protection of their own accounts. A “deputized” customer base can help protect financial institutions and themselves. Out-of-band transaction verification processes display transaction or account change details for approval before final execution (post-login) effectively accomplishes that “deputization.”
So, XFA is the need of the hour keeping in view the requirement both for financial institutions as well as customers.
Lalit Chandak, president, SPAN Telecom has over 16 years of experience in telecom such as VoIP, lawful monitoring and network security.
The post Moving beyond passwords: By Lalit Chandak, president, SPAN Telecom appeared first on TeleAnalysis.