Source: Confident Technologies
Confident Technologies, Inc., a provider of image-based authentication and verification solutions for websites and mobile applications, today unveiled Confident Multifactor Authentication™, a new approach to two-factor authentication that delivers an image-based authentication challenge to users' mobile phones for a more secure out-of-band authentication process.
An increasing number of online businesses and websites -- from online banks and healthcare portals, to Google and Facebook -- have started deploying two-factor authentication by sending authentication text messages to users' mobile phones for added security. Unfortunately, cybercriminals are keeping pace and have been increasingly targeting the mobile channel for attack. Using a variant of the infamous Zeus malware to intercept and reroute authentication text messages, cybercriminals can authenticate their own fraudulent transactions.
Confident Multifactor Authentication provides a completely new and highly secure way to protect online businesses and their customers from fraud and Zeus-in-the-Mobile (Zitmo) attacks, by securing the second factor and verifying that it is in fact the legitimate user in possession of the mobile device and not another person who may have stolen the user's phone or is surreptitiously intercepting the authentication text messages. The Confident Multifactor Authentication process remains completely out-of-band from the web session and is more secure than displaying an authentication code in plain text, as is done in an SMS text message or soft token.
How Confident Multifactor Authentication Works:
1. When a user first registers with the website or online service, they select a few categories of things they can easily remember -- such as dogs, flowers and cars.
2. When out-of-band authentication is needed -- such as when the user is attempting to transfer money to another account -- an application on the user's smartphone displays a randomly-generated grid of pictures that has a one-time authentication code encrypted within it.
3. The user identifies the pictures that fit their previously-chosen, secret categories by tapping the appropriate pictures on the smartphone display. By identifying the correct pictures, the user is essentially reassembling the one-time authentication code that was encrypted within the grid of images.
The process takes just seconds and because the user authenticates right on the second factor device, it remains completely out-of-band from the web session. The specific pictures displayed on the image grid are different every time, but the user's categories always remain the same. This prevents someone else from learning the user's secret categories by shoulder-surfing or planting keystroke logging malware on the mobile phone.
Because the user must apply a form of secret knowledge on the second factor device itself, Confident Multifactor Authentication verifies that it is actually the legitimate user in possession of the second factor and not another person. Even if someone else gained physical or virtual possession of the mobile device, they would not be able to correctly authenticate when presented with the image grid because they do not know the user's secret categories.
In the wake of continuing large-scale password leaks at sites such as Sony and Gawker Media Group -- where more than 100 million user credentials were published online -- it is clear that businesses need more than just a single layer of password protection on externally-facing websites to protect online accounts and prevent fraud. From financial institutions needing to comply with FFIEC guidelines for strong authentication, to healthcare organizations seeking to provide secure patient access to online medical records, to e-commerce sites protecting access to credit card information stored in customer accounts, organizations across all industries are moving to strengthen user authentication.
"Businesses are struggling to find a way to deploy strong authentication on public-facing websites without excessively burdening their customers," said Curtis Staker, Chief Executive Officer, Confident Technologies. "It's a step in the right direction that more websites are deploying two-factor authentication for users, but the common approaches including SMS and soft tokens, are not very secure. More than 160,000 mobile phones are lost or stolen each day in the US alone and even more are infected with malware -- giving someone other than the owner physical or virtual possession of the second factor. When authentication codes are clearly displayed in plain text in an SMS message or as part of a soft token on the phone, they add virtually no security because anybody with physical or virtual possession of that second factor device can read the code and use it to authenticate a fraudulent transaction."
By encrypting authentication codes within a graphical display, Confident Multifactor Authentication provides a revolutionary new approach that solves the challenge of balancing strong security with ease-of-use, and makes the second factor secure from both sophisticated threats like Zitmo as well as low-tech threats like the physical loss or theft of the device.
Deployment and Integration Options
Confident Multifactor Authentication is a cloud-based service that can be used as a stand-alone multifactor authentication solution or integrated with existing authentication technologies, risk engines and security processes already in use -- including integrating it with existing SMS-based authentication services to graphically encrypt authentication codes and improve the security of the SMS delivery. It can be deployed as an application on users' smartphones or delivered as a zero-footprint model using the web browser on the mobile phone. Additional delivery options are available to serve users who do not have smartphones.
Confident Technologies' patent-pending approach to the encryption and graphical display of authentication codes is available for white-label integrations by security vendors, application developers and businesses wanting to incorporate the image-based authentication approach in their own mobile applications, web services or security offerings.
Confident Multifactor Authentication is currently available for trial use and evaluation by select organizations.