Tuesday, February 21, 2006

Online authentication

Just read another article on internet security at Wired News the day before. The problem of online authentication was a major theme at the 2006 RSA Conference. Major IT security companies now realize that an electronic token to be physically carried by the user is not a feasible "second factor" of authentication. You may recall that I also wrote an article last year on "Where is my electronic token?" in my blog along the same line.

How do I know this is the person of the true identity that I want to transact? Name and password can be stolen, but so is an electronic token. Furthermore, a token can be lost, damaged, malfunctioned, expired. The cost of replacing it, i.e. physically deliver it to the right person, is huge and the process is insecure. The mere thought of carrying a token in the electronic age makes you think that the internet has returned to stone age.

The intelligent human recognize their counterparts not by a token, but by characteristics. One way of doing it is through biometrics. Facial recognition, retina recognition, finger print, DNA test can all do the trick. However, these are not very feasible for internet transactions.

The clever IT security gurus come up with something simpler. Besides biometrics, there are many personal traits that can identify a person. One company proposes a solution which examines the device the client is using, including a number of factors such as IP address, a secure cookie or Flash object. A client logging in at the usual time from her usual machine will only need to enter the user name and password. But if that person is on a different machine using a different browser in a different time zone, for example, she will be presented with challenging questions that she answered when she signed up.

Some financial institutions are using a combination of such information combined with transaction history and usage patterns. For example, a typical everyday user suddenly sending a large sum at 2 a.m. to an account in Turkey might raise a red flag.

Another company adds an extra layer of security by locking out users who don't type in a password with the same typing style as the original user. The typing rhythm idea is flexible because the user can easily reset the system. When a new password is set, then there will be a new typing rhythm. The company calls it the disposable biometric.

There are yet new gadgets being developed. Other new offerings from RSA Security include a browser toolbar that works like a security token, and software that can turn a mobile phone into a token. The war still goes on.

No comments:

Post a Comment