This is a guest post by Robert Coulter. If you are interested to guest post in this blog, just head over to the Guest Post Guidelines.
The increase in fraudulent transactions which exploit online security flaws is increasing, requiring more robust authorization and authentication solutions than currently in use by most companies. The enormous amount of money generated by black hat hacking teams ensures a continuous refinement in their tactics, leaving those in charge of online security always playing “catch-up.” Exacerbating the danger are the newest targets for hackers: tablets and smartphones, which tend to lack even the most basic malware protection.
As a result of the increased risk of financial loss, the traditional authentication scheme of username/password is being supplanted by or augmented with several newer tactics that are being adopted with greater frequency as security breaches, such as the LinkedIn password debacle, are being exposed in greater numbers in the media.
Following are some of the latest online authentication systems being adopted by companies around the world.
This method of authentication searches for discrepancies between data known about the account holder, such as home address or computer hardware profile, and the IP address and other identifying factors of the new login.
A real-world is example: Some U.S. Gmail account holders have recently been notified of blocked login attempts from countries such as India, detected due to the foreign IP address of the invading connection.
As the name implies, multi-factor authentication requires more than a simple username/password combination to verify the identity of a user. This method seeks to authenticate using two or more of the following:
- Something the user has, as in a physical token, access card or phone
- Something the user knows, such as a passphrase
- Something the user is, as in a physical trait
MFA is considered quite secure as an attacker would have to not only decipher a login, but would also need to possess additional knowledge belonging to the true account holder.
Out-of-band authentication takes a similar approach to the multi-factor authentication scheme in that a user that logs in with a username and password will be subject to another verification requirement. The difference is that OOB requires that the initial login and the secondary or tertiary authentication steps be performed on completely different channels. This means that if a suspicious transaction takes place via a laptop, a telephone call or smartphone app might be the channel for the final authentication and verification step.
An example of this would be a bank triggering an automated phone call to an account holder should a large purchase be initiated. The account holder would confirm or decline the transaction via this external channel, making it extremely difficult for attackers to pull off large scams unless they physically held the customer’s phone.
Tokens are usually part of a multi-factor authentication solution, used in conjunction with a regular login. Tokens might come in the form of a USB device or plastic card with a unique key that is matched to the specific user, allowing access to a system only if both the key and login credentials match. In general, the smart card will be the more secure choice of the two, as a special card reader must be installed on the user’s computer in order for the card to be read. This makes it difficult for an attacker without this specialized hardware to attempt to gain entry.
Another token-based defense is the one-time password-generating (OTP) token, such as the popular RSA secureID devices. After a user enters his username and password, he is asked to enter the OTP displayed on the device. This is then matched to the authentication server, and the user is granted access.
The above methods are only some of the augmented authentication technologies in use today. As hackers continue to evolve, so will authentication techniques in the never-ending battle against cybercrime and fraud.
About the Author: Robert Coulter work for Authentify, a firm that offers a wide range of authentication solutions for different industries. They specialize in voice biometrics, security tokens, and two factor authentication.