Online Identity and Trust

Han Dong, Senior Product Marketing Manager, User Authentication

Some thoughts on a couple of recent articles, one from Gartner Research: Where Strong Authentication Fails and What You Can Do About It, by Avivah Litan and a similar article by Jaikumar Vijayan in Computerworld, which also references Ms. Litan's article.

The basic idea presented in these two articles is that "one-time passwords...are no longer enough to protect online banking transactions against fraud." These one-time password (OTP) token-based two-factor authentication methods may be compromised by man-in-the-browser malware that overwrites the user transactions to steal their assets. So the general recommendation from Avivah Litan is "A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats."

We agree that OTP is not the end-all, be-all of security for the internet. In fact, VeriSign was recently recognized as a "best in class authentication technology solution" by Javelin Strategy & Research, primarily because VeriSign espouses a layered security approach to our customers for protecting online transactions. This approach includes Extended Validation SSL to authenticate the website to a user, with an easily identifiable green address bar. Plus the VeriSign Identity Protection Fraud Detection Service, which delivers risk-based authentication to monitor particular user behavior and trigger authentication when abnormal patterns or behavior are noted. And additionally, the VeriSign Identity Protection Service, one-time password (OTP) authentication to mitigate account takeover and require an additional factor the user must present, in addition to username and password for accessing critical accounts. OTP in and of itself is not a panacea, but it is part of a multi-layered security approach that anyone conducting business online should consider to protect its customers and business.

Fraud may be on the rise, so whom do you turn to for trust in the online world?
Easy, look for the check.

Posted by Han Dong at 12:53 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

I just read an article in CNET, by Jonathan Eunice, Character limitations in passwords considered harmful. And immediately after reading the story I thought to myself, Jonathan (may I call you Jonathan), we have the answer to your troubles. It's called VeriSign Identity Protection (VIP) Authentication Service and it's precisely what you need to address your goal to have strong authentication for your "4,000 web services."

Jonathan's article described the issue of how various websites will frequently restrict your ability to create 'stronger' passwords that use symbols (i.e. !@#$%^&), and thus relegate the user to simple (and easy to steal) phrase or nickname passwords. So he is thwarted from his attempt to use a password like "Ga9i)t|Z" by the fact that the website in question, is not allowing the use of these special character passwords. And he's forced to use "easy-to-remember, easy-to-hack passwords." Not an ideal solution.

So here's where VIP comes in. VIP is an easy to implement two-factor authentication service that employs an open standards-based one-time password credential that strengthens your existing userid and password. The VIP Authentication Service provides a cloud-based second-factor authentication, integrated to your favorite web service via Web Services-based API. The VIP credential is available as a small hardware token or can reside as a client application on your mobile phone (always available, regardless of wireless network coverage). This VIP credential generates a 6-digit code (which changes every 30-seconds). The credential is registered with a relying party web service - and every time you initiate a login session to your web service, in addition to entering your easy to remember userid and password, you also enter the 6-digit code from your credential as a "second" password.

Now Jonathan has essentially a password for his password. And better yet, that password for his password is uniquely generated (based on OATH standards) and constantly changing, every 30-seconds. Someone would have to physically steal Jonathan's mobile phone or VIP token IN ADDITION to stealing his userid and password to hack into his favorite websites. Jonathan can combine something he knows (userid & password) with something he has (VIP credential) to add strong password protection. Now he can login, safely and securely.

So Jonathan, feel free to use "goofdog" as your password - just be sure to add VIP Authentication and you're good to go.

Posted by Han Dong at 3:55 PM | Permalink | Comments (0)

Han Dong, 'Blogger of Light'

Did you catch it on the tube last night?
Did you see the VeriSign Identity Protection Access for Mobile credential in action?



In case you missed it, check out the link on YouTube (0:21)

As for how this relates to you, me and your everyday secret agent, I think this fun video demonstrates the need for leveraging One-Time Passwords for strong authentication of your mobile applications. Yes, we have an "app" for that.

Kudos to our esteemed Product Manager, Erica Huang, and her efforts to have VeriSign included in the AT&T commercial.

Posted by Han Dong at 1:36 PM | Permalink | Comments (0)