Redefining Stronger Authentication for 21st Century

In addition, the cost of implementing certificate-based authentication (PKI or Smart Card Tokens) is multiple times more (single digit dollar times at least) expensive than  OTP tokens making it difficult for large scale deployments like in internet banking.

Context Based Tokens

Context-based authentication uses information about a user, such as geographical location to authenticate them. Context-based authentication is generally used in conjunction with other authentication methods. For highly secure environments, for example, a user may be required to provide a username, password, OTP and pass verification on the geographical location of the device initiating the session. Other techniques include device registration or fingerprinting, source IP address reputation and behavioral analysis.

Context Based Tokens especially Biometric Scanners are the most expensive as a high end processor is needed as the base of such a scanner. The cost of implementing Biometric Token solutions will easily run into double digits dollars times per token.

Internet Based Attacks change Stronger Authentication Concepts

In recent years, there is some debate within the information security community about the reliability of OTP tokens, Certificate-based Tokens or Context-based Tokens for authentication. Critics claim a hacker can defeat the device with a man-in-the-middle (MITM) attack, which is when a hacker intercepts the token value (regardless of whether it is OTP tokens, PKI Tokens or Biometric) in real time, along with the user ID and password from a targeted phishing site.

In the latest draft version of its Digital Authentication Guideline in July 2016, the United States National Institute of Standards and Technology (NIST) is also discouraging companies from even using SMS-based authentication in their two factor authentication schemes.

The reason is that there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. Security researchers have used weakness in the SMS protocol to remotely interact with applications on the target phone and compromising users. One example is that the malware can be implantedonto an Android Smartphone to redirect the SMS OTP to the hacker phone.

Major Features of Next Generation Advanced Authentication

Transaction Signing is a term used in Internet Banking that requires customers to digitally “sign” transactions in order to preserve the authenticity and integrity of the online transaction. While performing any of the above online transactions, you will obtain a challenge code.

So, the next generation strong authentication hardware token needs to incorporate a cost efficient and energy efficient optical sensor (as an example instead of a keypad type of hardware token) to change the dynamics of inputting the transaction data into the token so that it can be used to generate the Transaction Signature (like the OTP) without much hassle like when the keypad is locked.

The next generation strong authentication software tokens needs to incorporate at least one of these useful features like QR Code (in the event if there are no Telco connections at that instant); Push Technology that accepts or declines a transaction with a push of a button (with tokens verified and embedded with the push feature) and/or Secure Messaging (to provide enhanced user experience with much reliability and reliable online marketing to their client base compared to SMS).

Any vendor(s) that can incorporate these two types of next generation strong authentications for hardware and software tokens in their product portfolio will ultimately be the clear winner in this strong authentication space for the 21^st century.