Are you "you" ... authenticate to me...

Today a user gets all information and services on his mobile. Cellular service providers have taken the next step to enable credit card services on mobile devices. In future, users would like to get all information on their mobile and do most of their online work on mobile devices. They will go online using GPRS to do financial transactions, update a contract, access a CRM application to get customer status, etc., etc. It is very clear that single static password based authentication mechanisms have outlived their usefulness. The need for a second authentication factor has become clear and strong now. As users spend more time online via their mobile devices going over an open wireless network to Internet, the probability of password thefts and spoofing, man-in-the-middle attack increases. The two factor solution requires a user to use a hardware token to generate an OTP (one time password) and use that to authenticate. If the user goes online 3 times in a day, and accesses 5 sites that implement OTP based 2 factor authentication, the user will have to generate the OTP on hardware token 15 times, read the OTP from hardware token and enter that on screen and then authenticate. After a couple of month the token needs to be reinitialized or changed. This is not the normal way a user accesses Internet or online services today. We are definitely reducing the risk of password theft but at the cost of user inconvenience. Imagine a user will have to carry bunch of tokens and stick a note on each device to identify which one to use where. Hardware token based two factor authentication solution doesn’t seem to work for a common user. We think the perfect solution must make use of existing infrastructure. Nowadays every user carries a mobile device with him. Mobiles generally have got more computation power than hardware OTP tokens and are expected to become more powerful in coming years. Exploiting the mobile’s computational power to generate OTP is not new. There are solutions available that provide authentication services via mobile. These solutions solve one problem, the cost factor. Also a user need not carry a number of different tokens for different services. But again, the software has its own problems. The mobile device client is specific to a vendor. A user needs to use one client software for one company and a different one for another; Again the client deployment and re-synching are some of issues corporate IT departments need to take care about. A user needs to read the OTP from mobile and enter on website to authenticate. Reading from a small screen sized mobiles is not so convenient. Also the count of digits in OTP has to be limited to a small number, typically 6-8 so that it is not hard for users to read from screen and type on login portal. This limits the strength of the OTP and the time duration for which a seed is valid. Issues related to client software on mobile device can be correlated to issues with having software on a user PC. Corporate IT departments need to take care of software updates, deployment, revocation and other issues. In today’s time, for PC based users, enterprises prefer a solution that doesn’t have such issues. Web-based solutions and smart solutions that don’t have many support issues are preferred. The same trend we are going to see for mobile users. A smart solution that is transparent to users yet secure enough to stand against next generation attacks. The solution needs to build a trust so that users are confident that they are secure when they access online services over un-secure Internet connections. If such a solution is not found, the Internet will soon cease to be used a medium for online transactions.
© Copyright, Vij