Posted by Andras Cser on December 20, 2007
With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.
Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.
Smart cards / USB tokens (very costly, high level of security, great user inconvenience)
Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.
Vendors: ActivIdentity, Aladdin Knowledge Systems, CRYPTOcard, EntrusT, PortWise, RSA Security, VASCO Data Security
One time password hardware token (very costly, high level of security, great user inconvenience)
Token generates a one time password that the user must input during login.
Vendors: ActivIdentity, Entrust, CRYPTOcard, Secure Computing Safeword, RSA Security, VASCO Data Security
One time password software (costly, medium level of security, medium user inconvenience)
User has a portable device (cell phone) with software that generates OTP.
Vendors: ActivIdentity, Entrust, CRYPTOcard, PortWise, RSA Security, VASCO Data Security
Wallet card (scratchpad, gridcard) (inexpensive, low level of security, medium user inconvenience)
User has a list of OTP passwords printed on a sheet or a grid card of letters and numbers that the user has to enter when logging in.
Out of band authentication (costly, medium level of security, medium level of user inconvenience)
User receives a secondary one time password in a text message or callback to their registered cell phone.
Vendors: Authentify Technology, Digital Resolve, RSA Security/PassMark Software, Swivel Secure
Device fingerprint (inexpensive, low to medium level of security, low user inconvenience)
Upon login, the user’s desktop software, hardware and browser environment generate a unique fingerprint. If the user’s desktop changes, user is prompted for additional knowledge based authentication (i.e. must answer multiple security question and answer pairs correctly in addition to providing the correct username and password).
Vendors: Oracle Adaptive Authentication Manager (Bharosa acquisition), Digital Envoy, Entrust, iovation, RSA Security
File-based device authentication (inexpensive, low to medium level of security, low user inconvenience)
Website puts a cookie on the user’s browser and uses the cookie to display a user-selected image the next time logs in. This method authenticates the website to the user (mutual authentication).
Vendors: Arcot Systems, TriCipher, Oracle Adaptive Authentication Manager (Bharosa acquisition), Entrust, RSA Security/PassMark Software
IP Geolocation (inexpensive, low level of security, low user inconvenience)
Inbound access management looks at the user’s IP address to check for plausible velocity of logins (user can’t legitimately login within 30 minutes from a IP address in the US and China).
Vendors: Digital Element, Quova, Oracle Adaptive Authentication Manager (Bharosa acquisition)
Keystroke dynamics (inexpensive, medium level of security, medium user inconvenience)
User’s keystroke dynamics for entering the username and password (for how long the user presses a key and how long it takes them to move between keys) is used as a second factor for authentication.
Vendors: BioPassword, iMagic Software