Authentify is debuting a new solution for companies looking to add dual authentication password protection for its online services or processes.
The company’s app, 2CHK app, is an out-of-band (OOB) authentication that works like this: The end user activates an app on their smartphone or PC and links it securely to their company login account or identity directory using voice or SMS-based OOB authentication. Once this is done, the 2CHK app is “always on” and maintains a secure channel to Authentify’s authentication service.
IT and Internet industry experts are increasingly calling for two-factor authentication to replace weak password security as each passing week brings more high profile data breach incidents:
- Dropbox is adding two-factor authentication, after a stolen password was used to access an employee’s Dropbox account containing a document with users’ email addresses
- The head of Google’s Webspam team, Matt Cutts, is recommending Google users turn on Google’s two-factor authentication
- Wired reporter Mat Honan, in his excellent blog analyzing his own victimization in an “epic hack,” admits that had he used two-factor authentication with Gmail he might have interrupted the chain of events the hackers used
- LinkedIn’s June data breach reportedly made some 6.5 million passwords public on a Russian hacker site, and the company now faces a $5 million-plus lawsuit
2CHK complements online and mobile banking security by providing a completely separate app and OOB channel that protects against stolen passwords and, due to layers of encryption, cannot be defeated by man-in-the-middle and man-in-the-browser attacks.
Customers see transactions in the 2CHK app and can confirm or reject them easily. This contrasts with traditional OOB implementations that send a one-time password (OTP) number using a phone call or text message, which the customer then re-enters separately in the login window, or online or mobile bank app.
Another important advantage is this gets consumers more directly involved in monitoring their own accounts using their own mobile devices.
“The threats to online environments and digital property have evolved dramatically in the last few years,” said Andy Rolfe, the chief technology officer at Authentify. “End users and the defenses on which they rely to evolve as well – or they fail. It’s a progression as old as time.”
A proven and effective countermeasure recommended by federal authorities, regulators and leading consulting firms, OOB authentication is used by banks and ecommerce providers to protect against man-in-the-browser attacks designed to steal login credentials or hijack online sessions. The capability to add OOB safeguards within multiple layer security models fulfills industry best practices as recommended by the FFIEC, Gartner Research, Inc., the FBI, the U.S. Secret Service and NACHA.
“Out-of-band authentication can save your digital assets, so to speak,” added John Zurawski, vice president at Chicago-based Authentify. “Both NIST and the FDIC have cited the strength of our type of phone-based out-of-band authentication for protecting government and financial accounts. As more of our lives become virtual, more is at risk. Many folks lock up their important papers and valuables in the real world. Stronger protection in our cyber world simply makes sense.”