Mass-Market Authentication: the Gateway to Access-Hungry Consumers

Whether you’re at the cash machine, online to your bank or credit card company or on the phone to your insurance or mortgage provider, until now, the need for greater security has meant added complexity and cost for user and provider alike.

In future, this problem is sure to grow. Consumer-facing organisations want the efficiencies to be gained from e-commerce technologies, and are moving inexorably towards a Web-based interface with their customers.
That could mean asking consumers to navigate increasingly complex layers of password-based authentication, which discourages them from trusting the security of online transactions — only 10 per cent of consumers bank online for this reason. They could also be faced with remembering growing numbers of passwords, enterprises will need to divert scarce resources to helping users recall those passwords, and will continue to have to bear the costs of theft or mistakes following authentication failures.

Yet it doesn’t have to be like that. Security technology can ensure that you keep what’s yours while enabling you to get on with life, letting technology take care of the details. Strong authentication of users that is both easy to use and cost-effective is the answer.

Authentication in a complex world
Consumers in today’s world spend a growing amount of time authenticating their identities to banks, insurance companies, utilities and phone companies, for instance. Before such organisations can process any transactions or information, they need to know that users are who they say they are. In other words, authentication of identity is critical or no trust can exist between the two parties.

Right now, that process consists of what you know — almost invariably a user name and password combination — and, where stronger authentication is required, what you have. This usually takes the form of a hardware or software that generates a second code or PIN, and is known as two-factor authentication.

Names and passwords have a long tradition, going back centuries. They worked well when the numbers to be dealt with were small and a person’s identity could be confirmed by looking at them. In today’s world, that’s not practical, yet reliance continues to be placed in this method, despite its well-publicised weaknesses.

The key problem is that passwords are too easily discovered or guessed — they are often found written down on sticky notes stuck to monitors, for instance. Even when they’re not, passwords can often be derived from well-known information about the user such as their birthday, or spouse, partner or pet’s name. Further, because it’s hard to remember passwords that aren’t standard words — especially as the number of passwords required increases — the average password can often be discovered by a computer attack. This can be achieved using a dictionary or, more time-consuming but ultimately effective, a brute-force lookup that checks every possible combination of characters.

In a corporate environment, end user education as a cornerstone of company security policy can often be the answer to this problem, along with forcing users to update their passwords regularly, and checking the strength of passwords using cracking programs. For consumer applications however, none of these options is realistic. Give customers what they perceive to be a hard time, and a business risks driving them into the arms of the competition.

The mobile future secured
Passwords on their own are too weak to enable full trust, but the alternative is two-factor authentication, which has proven to be both close to unbreakable and is the strongest form of authentication available. Its drawbacks in a consumer application are that it’s also not realistic to expect consumers to carry an additional, special device whose sole function is authentication.

A much better answer is to reap the benefits of two-factor authentication by generating a new password for every authentication using a device that the user already has with them. Research shows that the one device most users both possess and carry with them is their mobile phone.

The way this could work is that the user initiates a transaction, enters their PIN or access code, then the provider of services needing to authenticate someone sends a randomly generated password via SMS to their phone, which they can enter. This proves that they are the right person — a miscreant is highly unlikely to know the user name, the password and possess the phone. And if they are using a browser, a user must enter their access code into the same browser from which they requested it. The ideal solution would also provide non-repudiation, encryption over the link where possible, and would generate passwords that were truly random.

This form of strong authentication shows huge promise. Trials by a number of service providers suggest there are few drawbacks, with the small cost of sending an SMS being offset by the security of knowing they are dealing with the right person.

Compared to other forms of two-factor authentication, the advantages are that:

  • such a system would need no extra infrastructure, so deployment costs on a per-user basis will be low;
  • because the user is familiar with the hardware, there are no additional training or help desk costs to be borne;
  • in some cases, it may help compliance with government, industry, or enterprise regulations for data protection;
  • it can be deployed in very large numbers to cover mass markets;
  • the user need carry no extra devices around, adding convenience and enabling enterprises to differentiate themselves;
  • consumer confidence both in the strength of that security and the protection of their investments from access by the unauthorised will be increased, leading to customer satisfaction and retention.

Only the need for a mobile phone network limits coverage and, even in the US where SMS is not as popular as it is in Europe, trials show that messages both work and travel quickly — one outer limits trial reported a delay between the UK and the US west coast of just four seconds.

When authentication via SMS becomes widespread, businesses and consumers will benefit. In the financial services area, banks and insurance companies are clear beneficiaries. In business to consumer applications, healthcare — ensuring that the consumer is matched, critically, with the right medical records — and bill payment will be transformed. Service providers and enterprises will be able to offer unfettered access to remote users’ desktops no matter where they are, secure that the user can prove their identity.

From a business-to-business perspective, such technology can facilitate supply and buy-side e-commerce, with partners and suppliers being able to authenticate and so gain access to secured extranets, increasing trust between the parties conducting transactions.

Right now, access to information is critical for businesses and consumers alike and this trend is set to grow. What’s needed is a way of authenticating people on a mass-market scale, and using a widely-adopted, easy-to-use technology such as SMS means that access can be secure, more cost-effective and more convenient.

RSA Security’s RSA Mobile, built on its patented, time-synchronous technology and algorithms that deliver proven security to around 13 million end users, provides a platform for consumer-facing organisations to build such a solution. So with RSA Security ready to bring its secure technologies to this market and to fully incorporate industry standards such as Liberty and SAML into future releases, the time is right for this technology.

Both industry and consumers need it, the pre-conditions have been met and the demand is there.

Infosecurity Europe is Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003.