Information Card Win #2 - Two Factor Authentication
Document Actions
This is the second part in my series of easy wins your organization can have with Information Card technology today. The first part can be found here.
As I stated in Win #1, I am focusing mostly on Self-Issued Information Cards. This is because that is something under totally under your control as an organization. You don’t need to set up a federated relationship with anyone.
It’s no secret that the 2005 FFIEC guidance has caused some consternation for banks that offer online service. The guidance mandates that single factor authentication is not sufficient for sensitive on-line banking. This is a problem for banks for several reasons. First the guidance doesn’t say what constitutes sensitive or what kinds of two factor authentication should be used. The only thing that is clear is that banks are not going to be rolling out One-Time-Password (OTP) authentication such as SecureID or the OATH enabled devices.
Most banks seem to be complying by using a second factor such as SiteKey, which is used by B of A, or additional challenge questions based on transaction risk assessments. Banks and other financial institutions who are still struggling with their two factor authentication strategy may want to consider Information Cards as a second factor authentication.
In many respects Information Cards and SiteKey have similar security properties, although Information Cards are far superior. They both offer anti-phishing features and perform client authentications. The advantage of SiteKey is that all the client needs is the Flash plugin where as non-Vista users will need to install either IE 7.0 and .NET 3.0 or a comparable Information Card technology for Firefox or Safari. The advantage of Information Cards is that is free and far superior to SiteKey from a security standpoint. I may follow up with a more extensive explanation of why Information Cards (especially the Microsoft Cardspace implementation) is superior to technologies like site key. For now I will just summarize them as both "what you have" forms of authentication.
From an end-user perspective that process of enrolling InfoCard authentication to an existing account would be the same. You would ask the user to log in using the account ID and password plus what ever additional information would be appropriate. You would then invoke the Information Card login and record the PPID and public key of the selected Information Card.
After that you could allow the user to authenticate using Information
Cards to browse the site, but ask for the account ID and password when the
user wants to perform sensitive operations such as bill paying or fund
transfers.
_____
tags:
More Detail
The best form of authentication financial institutions can deploy is transaction authentication. This measures the IP address the user is coming in from, their geolocation, user history, time of withdrawl, user's computer hardware etc. As Bruce Schneier keeps pointing out, it is only at the point of transaction that risk can be best mitigated.
While I am a keen proponent of Infocards, I am still somewhat sceptical of their role to thwarting criminals.
Guy
Replies to this comment