Who Are You?

You just can’t trust a username/password combo to verify user identity. It’s time for two-factor.


The cost of implementation and management has also prevented the widespread use of biometrics for online authentication, as has the potential for user error. Biometric devices can reject valid users if the personal asset—finger, hand, retina—is not properly aligned on the biometric scanner.

Multi-Channel Authentication
A newer method of two-factor authentication called multi-channel authentication uses two separate communication channels for authentication. To log in, a user enters the standard username and password combination. The system then sends a one-time password to a mobile device using the Short Message Service (SMS), to a predetermined email address, or to a predetermined phone number. By sending the additional password via another communication method, multi-channel authentication bypasses all of the automated mechanisms commonly used to capture usernames and passwords, thus providing a higher-security login process.

Users Want to Take It Easy
All current two-factor technologies require extra effort of the user. Computer and network users want to access the system and begin working as quickly and effectively as possible, and two-factor authentication slows them down.

This is especially true in e-commerce and online transactions. If anything impedes the login process, the customer will get frustrated, terminate the transaction, and look for a more user-friendly solution elsewhere. For example, in researching this article I went to the Web site of a bank that has reportedly implemented an effective two-factor authentication solution for its customers. After some diligent surfing and half a dozen clicks, I found a menu item listing a demo of their online services. I thought I might be able to see their login process, so I clicked on the menu item. After staring at the “demo loading” screen for an inordinate amount of time, I received a message that my browser was not supported. Interruption number one.

I then switched browsers and attempted to access the demo again. Again I made it to the “demo loading” screen, but this time instead of the requested demo I got a message telling me to disable my Java Plugin. Interruption number two. Although this is not a complex task, I gave up and went searching elsewhere for information. This “two strikes and you’re out” policy applies for many users of online services.

Had I been trying to access my account to pay a bill or transfer funds, the bank could very well have lost a customer.

Risk-Based Authentication
The most recent development in authentication—risk-based authentication—evaluates each login attempt based on numerous factors and then gives it a risk score. If a login attempt is designated low risk, the user is authenticated and logged into the system with just the username and password. If the login attempt is rated high risk, however, the user is required to respond to additional authentication requests.

One popular implementation of risk-based authentication is eSphinx from Cyota. eSphinx is designed for online banking and uses several different data sets to evaluate the risk factor of an online transaction. One of its data sets comprises information on user behavior during previous online transactions. For example, if the user logs in around noon for nearly every transaction, a login attempt at 3:00 a.m. would receive a higher risk rating.

eSphinx also considers a data set of device information, such as the IP address, browser, and location of the log-in attempt. (This can also be considered device-based authentication, which can be implemented in many two-factor authentication options). If a user consistently logs in from an IP address block associated with California and uses Internet Explorer, a login attempt from an IP address block associated with North Korea using FireFox would significantly raise the risk level.

The last data set examined is something Cyota refers to as its eFraud Network™, a database of fraud activity provided by all its clients. The IP address and other technical information of a login attempt is compared to information in this database. If it matches, the session can be terminated. What makes this intriguing is that the information is collected from different banks located in different parts of the world.