Is next generation authentication technology the answer to identity theft and online fraud? Stephen Meredith, a VP at Swivel Secure, looks at the issues.

Every day billions of dollars are being lost by financial institutions and corporate enterprises through a range of ingenious acts of internet fraud. This global problem is now reaching epidemic proportions and is the major security challenge currently facing the IT industry.

In recent years significant progress has been made in firewall, virtual private network (VPN) and antivirus technology to protect the central server and corporate networks. Improved encryption protocols have pretty much secured data in transmission from the end-point device to the server. Where many networks are still vulnerable is at the end-point itself, effectively the front door to any back-end system.

Enterprises that are still relying on inherently weak password systems for protection against unauthorized access are simply not taking security seriously, but the reason why so many are still using technology that is widely regarded as the weakest form of authentication is that the alternatives are proving to be either too expensive or inconvenient for the legitimate users as well as still being vulnerable to a range of sniffer devices and Trojan spyware.

A different approach to authentication is needed, designed to not only ensure that there is a very high level of probability that the person trying to access a private network is the person they say they are but also that their identity is being protected during the authentication process.

One of the major contributing factors in the growth of internet fraud is in the vulnerability of an individual's identity credentials to capture by Trojan keystroke sniffers, optical character recognition spyware or simple casual observation by a co-worker.

Once these credentials have been compromised it is relatively simple to not only gain access to useful detailed personal information but to use the information to obtain bank credit or to conduct credit card transactions online, leaving the victim to pick up the pieces - and the bill!

Next generation authentication software aims to deal specifically with these threats by ensuring that each element of the authentication credential that is transmitted over a remote network connection or entered at an end-point keyboard has no validity beyond the active authentication event, if it is intercepted.

One answer could be a strong, two-factor authentication system that uses a wireless mobile device such as a cell phone or PDA to generate a one-time access PIN for each authentication event, replacing the need for any dedicated token device or client-side software that is typically offered as a part of the older generation, two-factor security solutions.

Like many technologies in its class this approach would issue users with a user ID and a PIN, which can be from four to ten digits long, at registration. However at the same time they are also sent an SMS to their mobile device, which contains a randomly generated 10-digit security string. To authenticate themselves to a web service or corporate intranet the user initiates the session by entering their user ID on the web browser and their one-time code (OTC).

The OTC obtained either by extraction from the text message or by entering the PIN number using a J2ME applet running on a Java-enabled device. The OTC is then entered via the browser and delivered via an SSL tunnel to a server. From there it is a relatively simple process to compare the returned code with the one anticipated to pass the user through.

This technology delivers a wide range of unique benefits for both the enterprise and the individual user. For the enterprise the system engenders a high degree of confidence that only authorized users are accessing their systems as well as providing a cost-effective solution that is simple to administer and does not require distribution of costly tokens to the user base.

For the user the fact that the different parts of the process are transmitted and received via two completely different technologies and networks means that individuals also can be confident that their digital identities are safe from being compromised whilst they are online. This is widely regarded as the most important deciding factor for people particularly when conducting online purchases and credit card transactions.

Although the user is required to execute an additional process beyond just entering a PIN or password, using a mobile device to generate the OTC has not proven to be an unacceptable inconvenience by users of the system in practice.

A major criticism by users of token-based authentication technologies is the inconvenience of having something else to remember to take with them, particularly if they need to work from different locations.

Leveraging the full functionality of a mobile device to also provide a strong authentication tool is an obviously more acceptable solution. In business today the mobile phone in particular has now become an essential tool and one that most people are unlikely to leave behind.

However it is possible that the phone is not available or functioning at the time that access is required. This next generation approach has a built a failsafe option into the system.

In these circumstances the user can opt to use a special interface that displays the security string as a special GIF on the web page. The GIF is generated using a random combination of irregular fonts and patterned backgrounds to make the string unreadable by OCR spyware but still legible to the human eye.

Although slightly less impregnable to a hacker than the SMS version, the interface can be used in confidence provided sensible precautions are followed to avoid the string being captured by a surveillance camera or casual observer. Even then it would be difficult to compromise the system as the PIN is never typed into the keyboard and therefore cannot be electronically captured.

This technology would provide a perfect upgrade path for existing token-based system users as well as an easy entry point for companies wishing to integrate strong authentication into their existing enterprise networks.