By Donald Canning
Emerging Business Team, Microsoft
It’s getting harder and harder to gain users’ trust embracing the latest buzz surrounding Web 2.0 and online transition processing when fears of identity theft due to phishing and spoofing are on the rise. Out-of-band security and validation dramatically decreases online fraud by ensuring the rightful user is controlling the credentials used to access payment type services.
This closed loop process validates that users are who they say they are – quite literally combining the use of digital user-centric identity (login identification and password) with the ability to launch a telephone call to your phone and voice processing. Authentify has emerged as a leader of OOB authentication. Authentify’s innovative solutions for OOB authentication and authorization have positioned it well in the rapidly emerging next generation online identity space – you might call it “Authentication 2.0.” Authentify’s platform easily enables the telephone as a means to reach beyond the computer and “touch” the person on the other side of a transaction using 100 percent Microsoft scalable technologies.
Since the dawn of the multi-user computer, managing user profile information has always been a challenge. Authentication is difficult inside the enterprise where all of the individuals are “known.” Authentication over the Internet at the consumer level is much more difficult. Authentify’s founders have spent years developing systems administration tools for enterprises, and have sought to develop ways to enable trustworthy computing by using auditable means of authentication at Internet scale.
As user names and passwords have proven vulnerable, sites have begun to use an ever more complicated collection of “private data” to authenticate users. This “war of escalation” around shared secret data cannot be won. If a community is large enough, and the information protected valuable enough, phishing, pharming and key-logger attacks will figure out how to acquire the data necessary to gain access to accounts. Realization that this war cannot be won has resulted in a drive towards stronger authentication.
Authentify changes the rules of the authentication game. By reaching outside the network, Authentify protects end users from data breaches. With Authentify, a “bad guy” might know all of your private information, but be unable to control your account without actually answering your phone. And this protection comes with no extra effort on your part.
Authentify developed a process to easily enable the telephone to allow such a scalable, automated, auditable enrollment process. The many benefits of the telephone were already evident, but Authentify made use of the telephone for authorization and authentication easy.
Let’s say you are on the Web and about to perform an important transaction. After logging in and specifying the transaction, the site will present a page showing your phone numbers on file and asking which number you can answer right now. When you select the number, Authentify places an outbound telephone call and a few seconds later your phone rings. Authentify synchronizes the phone call to the Web session (to ensure only the party answering the phone can complete the transaction), perhaps performs some additional authentication, and then audibly delivers an authorization code. A “bad guy” who has all of your personal information could still not answer your phone.
The Authentify platform is at its heart a workflow manager. The workflow manager enables Authentify customers to develop authentication/authorization processes that meet their requirements and policies. Within a workflow, the Authentify platform enables a variety of features, including inbound and outbound telephony, voice processing, SMS, email and e-Sign. Authentify continues to expand the capabilities of the platform as customers request new functionality.
“Strong authentication” is typically seen as requiring two additional components. First, there needs to be an authenticator – a credential, stronger than just a password (grid card, OTP token, digital certificate, smart card, etc.). These credentials range in complexity, but share the characteristic that they do not rely solely in data. Second, the process for binding the rightful owner of an account to that credential (enrollment) must be more highly trusted and auditable. Why bother to issue a “stronger” credential if you are not going to put in place processes that seek to ensure the credential gets into the hands of the rightful owner? And, perhaps more importantly, the enrollment process should provide some human understandable proof of “who” accepted the credential. To provide this stronger authentication at volume, the enrollment process must be scalable.
The FFIEC guidance has had financial institutions scrambling to meet the January 1, 2007 deadline to provide "stronger authentication." Virtually all institutions have completed their risk assessments. Most are down the path of implementing some form of stronger authentication, some even have those tools live. Stronger authentication approaches lean towards favoring ease-of-use and less invasive processes.
Authentify has taken the position that any authentication or risk management approach that relies solely on communications over the Internet is at risk. All approaches can benefit from out-of-band communication for critical use cases, particularly enrollment, temporary access and high value transaction authorization.
Authentify offers an outsourced service to enable the telephone to provide real-time out-of-band contact with Internet users for authentication and authorization events. Its Web services approach has attracted much attention. Some of the largest eCommerce providers and Fortune 500 companies such as Bank of America and Hewlett Packard employ the service. Particularly in the FFIEC space, companies like EMC/RSA and VeriSign are OEM providers of the Authentify service. Authentify has proven the success of their platform and approach and today processes over 1.5 million authentication events each month for end users around the world.