two factor authentication that doesn’t use chips
TRANSCRIPT
9
CHIP TALK
May 2008 Card Technology Today
Two factor authentication that doesn’t use chipsWith many banks and other organisations looking at strong, two-factor authentication as a way of improving security to their customers’ confidential details, smart card based firms are highlighting why their technology is best. However, as Carol Alexander, vice president of Marketing at Arcot Systems tells CTT, organisations should also consider other methods.
“Protecting your clients and their accounts with strong, two-factor authentication doesn’t necessar-ily mean implementing smart cards, biometrics, PKI systems or one-time password (OTP) tokens. It can potentially be done more easily and cost effectively with a software solution.
Security for the 21st century“For example, Security Bank Corporation in the Philippines, one of the largest and fastest growing banks in the country has recognised that simple and static user name and passwords are no longer sufficient protection for its clients’ accounts and assets. They started looking into ways of adding extra layers of security to the online banking expe-rience. They eventually concluded that strong, two-factor authentication was the way to go in order to verify and protect the online identities of corporate customers.
“With a goal of finding the most innovative andconvenient security solution, Security Bank execu-tives were tasked with a critical decision: do they choose a two-factor authentication solution utilising a hardware device like a one-time password token, or choose a software-only solution? With so much going on in their day-to-day business life, using a device or even installing software can seem like an unnecessary burden for corporate customers.
Why devices may not be the best“Although many firms are highlighting the beauty of their token-based products, such approaches do have weaknesses. Since devices can be easily lost, difficult to use and require middleware downloads and support, they don’t necessarily meet an organ-isation’s convenience criteria. And if you consider this in the context of a bank, where customer loyalty can not be taken for granted, convenience is essential. Furthermore, personalising and mail-
ing a device would also potentially slow down the transaction process – not a good thing in the world of international eBanking.
“An alternative, which doesn’t have the com-plexity and cost of devices is to use a 100% software-only authentication solution capable of enabling online user identification and authentica-tion as well as digital signing and secure eState-ment delivery.
Make it easier for the customer“Such an approach can provide the strength and protection of PKI security, but put it in a simple, username/password interface that people are already familiar with and trust. By taking this approach, banks can take advantage of a fully self-contained PKI deployment. With no addi-tional elements of a PKI infrastructure to install or deploy, it eliminates the trauma of past PKI deployments. It integrates with existing PKI-based applications and infrastructure as well as Identity Management/Single Sign On platforms.
“However, this approach does not require expensive hardware tokens, client-side plug-ins or software installations to protect a bank’s users with two-factor authentication. Instead, the second factor is a unique, software-only identity token that sits transparently in a user’s desktop or laptop. The identity token is the software equivalent of a hardware smart card, provid-ing a PIN-protected software container for the user’s credentials: a standard X.509v3 digital certificate plus an encrypted private key.
Protecting the software-only token“Systems that use software-only identity tokens are protected by tamper-resistant software containers rather than a physical microprocessor-based device. The digital certificate is stored in this container. The private key is protected by a cryptographic camouflage, technology that protects the private key from brute force attacks. The credentials are accessed through a variety of standard and propri-etary APIs, remaining transparent to the user.
Many uses“Software-only identity systems are capable of protecting bank employee and customer users against various online predatory practices, including man-in-the-middle and brute force
attacks – which one time password (OTP) tokens cannot do – phishing and key logging. It uses a ubiquitous, secure client that transpar-ently fraud-proofs the login process without expensive hardware, rapidly scales to millions of users and runs on a variety of mobile platforms.
“Roaming, or using different desktops to access accounts, is achieved in different ways, but most commonly by using challenge response questions to set up new desktops. The resulting solution can give a bank’s corporate customers the confidence that their financial information and accounts are protected when they log on to their bank’s web site, all while using the same simple and familiar user interface and maintaining the anytime, any-where convenience of the Internet.
Beyond banks“And of course it’s not just banks that can see the advantage of two factor authentication using 100% software solutions. For example, Google Apps Premier Edition users can also take advantage of the technology. In this scenario, the user enters his or her username and password to gain access to their web-based mail, calendar and groupware soft-ware. They also have an encrypted file stored on their computer to add a second factor of authen-tication. As with online banking products, if the user tries to log on from a different computer, the technology can ask predetermined questions, such as ‘What school did you attend’, before granting the user access to Google Apps.
“If you take into account the fact that since launching more than a year ago, Google Apps has signed more than 500,000 customers, some of whom are looking for a higher level of secu-rity when it comes to signing on to the service, you can see that there is a potentially huge demand for such 100% software solutions.”
This feature was provided by Carol Alexander, vice
president marketing, Arcot Systems Inc. She can be
contacted at [email protected]
ChipChip TalkWhere leaders of the smart card revolution air their views
What is cryptographic camouflage?A sensitive question in public key cryptography is how to protect the private key. Cryptographic camouflage is a method of protecting private keys. Specifically, the private key is not encrypted with a password that is too long for exhaustive attack. Instead, encryption takes place so that only one password will decrypt it correctly, but many passwords will decrypt it to produce a key that looks valid enough to fool an attacker. For certain applications, this method protects a private key against dictionary attack, as a smart card does, but entirely in software.