 | Issue: | Asia-Pacific III 2009 |
| Article no.: | 15 | |
| Topic: | Shattering authentication myths | |
| Author: | Dr Shekhar Kirani | |
| Title: | Country Manager | |
| Organisation: | VeriSign India | |
| PDF size: | 181KB |
About author
Dr Shekhar Kirani is the Country Manager of VeriSign India; he is responsible for overseeing VeriSign’s activities in India. has worked in the high tech sector for more than 15 years, building and managing global teams for engineering, product management, innovation and production system operations. Prior to joining VeriSign Dr Kirani held management positions at Lightsurf Technologies, which was later acquired by VeriSign. He also worked for Starfish Technologies, acquired by Motorola as well as for Qwest, Texas Instruments and Wipro Technologies. Shekhar Kirani holds a PhD in Computer Science from University of Minnesota and Masters in Computer Science from the Indian Institute of Science.
Article abstract
More people go online each day to buy goods and services – it is easier to find a wider range of whatever is needed. Nevertheless, identity theft and online fraud are on the rise and the concerns of both businesses and consumers are slowing growth. There are systems, such as two-factor authentication (2FA), which uses onetime passwords (OTPs) generated by a physical device to provide a high level of security. Unfortunately, a series of outdated myths impedes 2FA adoption.
Full Article
Today, with increased mobility, a highly diverse user-base, internal threats, and regulatory requirements, security issues have become increasingly complex lending to a greater need for stronger authentication. Every day, people are finding new reasons to go online to access goods and services. Transacting online offers consumers convenience and the kind of broad selection that local businesses just cannot touch. Then too, transacting online keeps consumers out of their cars. A recent survey of adults who use the Internet found that fuel prices prompted them to do business online more often, and for a wider range of goods and services.1 Unfortunately, this growing dependence on online business has been noted by opportunists looking to exploit this consumer attraction. Identity theft and online fraud are on the rise. Between December 2007 and February 2008, researchers measured a 70 per cent increase in such fraud acts as phishing2, in which e-criminals use convincing-looking emails to lead consumers to fraudulent, but convincing, Web pages. When Internet users fall for phishing scams, they can unwittingly hand over an array of sensitive personal information, including user names, passwords, credit card numbers and Social Security Numbers. The costs are dear. A Gartner study reported that businesses lost US$3.2 billion due to phishing in 2007.3 In addition to the money lost, the targeted company also suffers immeasurable damage to its brand. Beyond user names and passwords Facing a world in which both opportunities and threats are growing daily, online businesses are looking for ways to strengthen the authentication they provide online. These ways include two-factor authentication (2FA), a stronger form of verification that has been successfully implemented by enterprises for 15 years. Two-factor authentication combines what the end-user knows – user name and password – with what he/she has – such as, a onetime password (OTP) generated by a physical device. A user cannot successfully sign on without both. It is a combination that makes it very difficult for e-criminals to gain authorized access to accounts and information, because the thieves must possess not only the username and password, but the consumer’s physical credential as well. To use 2FA, consumers acquire a credential – available in a variety of convenient formats – that generates an OTP for every sign-on. During an online session, the OTP is entered along with the user’s usual account name and password. This offers strong user authentication and secures their identity when the site verifies the OTP and matches it to the user. It is true that the models implemented over a decade ago to give enterprises 2FA do not meet the needs of today’s complex and convenience-oriented consumer environment. Yet 2FA for consumers is not beyond the reach of organizations seeking to protect their customers from fraud – and to differentiate themselves from competitors by offering state-of-the-art online security. Still, concerns about the convenience and cost of this protection seem to stubbornly cloud most discussions of 2FA. It does not take long, however, before a little research reveals that these perceived shortcomings are based upon little more than a fragile set of five myths. Let’s visit each myth and discuss where it ends and reality begins. Myth 1 – Consumers will need to carry dozens of credentials with them to log in to all their online accounts, and this will make 2FA a burden for users and impractical for site operators. This is the so-called ‘token necklace effect’ that critics claim has haunted 2FA, but the spectre of a single consumer laden with multiple credentials is not inevitable. A shared network of member organizations could make 2FA easier and more convenient than ever by allowing users to carry a single, portable credential that is recognized by all member sites. Today, credentials are available as keyas key fob tokens, credit card sized credentials, or even software that is downloaded to a user’s cell phone – all of which generate an OTP. When companies join a 2FA network, much like an ATM network, the dreaded necklace of tokens is unnecessary. Myth 2 – Judging from what enterprises have spent on their implementations, 2FA is just too expensive for the consumer market. 2FA is now available through managed services and shared network models, which allows strong authentication to break out of the premise-based enterprise model and cost-effectively scale 2FA protection to a consumer audience. Online businesses can now take advantage of third party hosting of the infrastructure needed for 2FA, along with easy integration of Web services, to reduce deployment expenses and share maintenance costs with other network members. This reduces both short- and long-term investment requirements. Myth 3 – It is risky to invest in a 2FA platform based on today’s consumer preferences, when tomorrow’s consumer preferences could be totally different. Organizations can ‘future-proof’ their 2FA offering by choosing solutions that comply with the open standards of the Open AuTHentication (OATH) reference architecture. With an OATH-compliant 2FA solution, companies avoid being locked into one vendor’s authentication credentials. OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones and PDAs. More than 70 manufacturers produce OATH-compliant solutions today, providing organizations an enormous variety of options for the consumers they serve. Myth 4 – Whatever advantages the 2FA network model may offer, they are not sufficient to draw new members into these alliances. Aside from the obvious benefits to consumers – having a single credential that serves for thousands of sites – and the cost advantages that come with sharing network expenses with other members, signing on to a 2FA member pays other business dividends. For instance, the ability to transfer the trusted relationship across all network members can be leveraged to strengthen online affiliation and build sales channels. For example, eBay and PayPal both belong to the same 2FA network; an online retailer can notify those companies’ communities that the same tokens consumers use for eBay and PayPal can also be used at the retailer’s site. That represents a competitive advantage in a market where differentiation can be tough to achieve. By leveraging a reputation as an innovator who puts the security of customers first, businesses can burnish their own brands in ways that can generate new sales opportunities. Myth5 – Consumer 2FA is long on hype but short on real-world successes. The brief history of consumer 2FA has certainly not rewarded organizations using premise-based, proprietary systems and credentials – in other words, credentials that can only be used at a single online business. If consumer 2FA implementations have stalled, it is because these models have not delivered the results, efficiencies and scale they promised. That is not the case with managed service providers, which have successfully implemented the network delivery model and have brought on an impressive number of online brands. Battling the irrelevant These five myths all mirror outdated perceptions of 2FA, perceptions based on decade-old enterprise models that are irrelevant to today’s consumer paradigm. Today, successful online businesses are leveraging industry standards, managed services and shared networks to deliver comprehensive two-factor authentication for consumers. Poking holes in these myths merely requires a balanced assessment of the risks faced by consumers, the cost of implementing 2FA, and the resulting quality of the consumer’s online experience. Doing so will reveal why it makes good business sense to protect a company’s customers – and its own vital interests – with a strong two-factor authentication solution. Sources 1 “High Gas Prices Fuel Move To Online Shopping,” InformationWeek, April 22, 2008. Accessed on July 22, 2008 at http://www.informationweek.com/news/internet/retail/showArticle.jhtml?articleID=207401333 2 “Massive Rise in Phishing Attacks in 2008,” ComputerWeekly.com, March 25, 2008, Accessed on July 23, 2008 at http://www.computerweekly.com/Articles/2008/03/25/229966/massive-rise-in-phishing-attacks-in-2008.htm 3 “Phishing Attacks Escalate, Morph and Cause Considerable Damage,” Gartner, December 13, 2007. Avivah Litan
