Académique Documents
Professionnel Documents
Culture Documents
Copyright 2005 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.
3) Hardware tokens have a limited lifespan, and regularly break, or lost or misplaced, rendering the user helpless To be broadly embraced by the consumer market, the convenience barrier must be set as low as possible.
This can be used in one of two ways either: a) Out-of-Band authentication The consumer receives a one-time password via SMS or e-mail after entering their username and password OR b) The consumer runs a Java based software token on the mobile phone to create a serial based one-time password after they have entered their username and password
SOFTWARE TOKENS
A software token based authentication solution is designed for consumer environments where millions or even tens of millions of users need to be strongly authenticated using something that all of us carry (e.g., mobile phones). It offers the highest levels of security in a comprehensive, scalable and very costeffective solution.
USER AUTHENTICATION Software token based authentication solutions are based around the consumer carrying a commodity device such as a mobile phone, BlackBerry or PDA and using this in combination with their username and password, to strongly authenticate themselves.
TRANSACTION SIGNATURES Once users have authenticated themselves using two-factors, they may be able to view their account balance, order checks, or do low-value transactions. However, for high value transactions, banks and consumers also want the ability to digitally seal an individual transaction. Transaction Signing software tokens allow users to enter all transaction data in the token, generate a transaction signature corresponding to the values of the transaction and then enter the signatures on the online application. The server will process the
Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.
Moreover, it can assure that network configuration settings, including IP address, open ports, domain and registry settings, and latest operating system and security patches installed. End-Point Security Assessment can also examine the browser to ensure it has not been tampered with by a Trojan. ENDPOINT ABOLISHMENT POINT The 2FA solution should have an End-Point End Abolishment module that can remove all traces of a customers activity including web page caches, registry keys, downloaded components and files, and cookies from the system once they log off. This enhances security in a shared-workstation shared environment like cyber-cafes, kiosks, etc SECURE ACCESS GATEWAY GATEWA The 2FA solution should provide a Secure Access Gateway (Access Point) which eliminates the need of making any changes to the existing Internet banking application for enabling strong multi factor authentication.
This method prevents Man-In-The-Middle / Man-InThe-Browser attacks since the digital signature is firmly connected to the specific transaction signed by the client and cannot be used by the attacker in order to divert any payment. DIGITAL CERTIFICATES , For corporate banking customers, banks are advised to deploy a PKI-based based digital certificate authentication mechanism. Digital certificates ensure non-repudiation a key concern for banks. The 2FA solution should not only be able to verify digital certificates but also provide a PKI platform in the virtual appliance form that starts out-of-the-box and produces your first digital certificates and smart cards within a couple of hours. The PKI appliance should comprise of a . Certifying Authority with auto-enrolment an OCSP enrolment, responder, a user-friendly credential lifecycle friendly manager and a web-based self-service portal service portal. ENDPOINT ASSESSMENT The definitive way of preventing Trojans from stealing user credentials is to make sure the users computer has no such Trojan installed. The 2FA solution should provide an End End-Point Security Assessment module, which can check the users machine for any number of threats, including virus, mber spyware, and Trojans before any access is granted.
The Secure Access Gateway also enables any new form factors produced by the vendor to be rolled out to customers without making any changes to the internet banking application or upgrading the backend authentication system. ZERO VENDOR LOCK-IN LOCK Choosing a vendor that supports and fully complies with the OATH (Open Authentication) reference architecture ensures banks can future proof their security implementation. OATH standard prevents vendor lock-in and ensures lock lowest cost of ownership. With an OATH-compliant architecture in place, banks can buy tokens from toke any of the 100+ vendors of OATH-compliant OATH tokens.
Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other tr product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies respective companies.
PROHIBIT SESSION-SAVING COOKIES From the customers perspective, it is often valuable to be able to resume a session after changes to networking settings, accidental reboot, and similar events. However, these approaches pose grave security vulnerabilities. Attackers can access the session cookies and re-engage the session from their computers if precautions arent taken. While valuable to hold state information about the active session, cookies and other snail-trail information must be secured during and after the session. The 2FA solution should stores cookies in memory rather than into the browsers temporary folders. This approach thwarts an attackers attempts to download cookies from a consumers computer and use it to re-engage the session illegally. STRONG ONE FACTOR AUTHENTICATION The 2FA solution should support emergency access capabilities by strong one factor authentication in case of lost, misplaced, or damaged tokens. The 2FA solution should provide a web-based token that is delivered through a web browser to the end user when requested. It should require no preconfiguration and should use either ActiveX or Java depending on what is available on the Internet connected device.
This provides protection against keyboard loggers, mouse recorders and video capture Trojans. Generate the OTP locally and never send the PIN across the Internet to protect against replay attacks. Be only valid to use once per session and is controlled by time-outs. Use JPEG bitmaps for protection against Trojans that use OCR scanning.
TOKEN DISTRIBUTION To ease distribution of the software tokens the 2FA solution should includes a Distribution Service that enables automated token distribution, installation and setup for software tokens. The Distribution Service should ensure that this process is fully automated for smooth and easy end user deployment. All the end user has to do is follow an URL link sent to the end user by the server in an SMS and within seconds the user should be equipped with two factor authentication. This is a URL used by the users web browser, and should not require the software token application to be installed separately. INTEGRATION WITH ALL BANKING CHANNELS It should be possible to integrate the 2FA solution with all banking channels such as Internet Banking, Phone Banking, Mobile Banking, ATM Banking, etc. To ease integration, the 2FA solution should support standard interfaces such as RADIUS and also provide a secure web-services based interface. UNIFIED AUDIT LOGS, ALERTS, REPORTS The 2FA solution should provide a complete, unified audit log of strong authentication, end-point security, access, and session clean-up. The audit log should be syslog compatible to enable sharing with Identity Management, Business Process Monitoring, and System Management solutions. The 2FA solution should allows alerts to be set on system events so administrators can be notified if something occurs, making problem resolution easier and less time-consuming. This enables administrators and help desk personal to work
To protect against hostile code such as key loggers and Trojans the web-based token should - Include a scrambled keyboard that can be configured to only accept input from the online keyboard. The scrambling protects against Trojans or key loggers that records screen coordinates and key strokes. - Accept PIN both with a keyboard (for the letters) and with a mouse (for the numbers).
Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.
proactively and more quickly respond to incidents. The alerts should be distributed using either SMS (mobile text message) or e-mail. The 2FA solution should report snapshots of activity at any given time in both real-time and over a historical period, or statistics showing for example the behavior of users or usage of internet banking. INDIAN BANKING CUSTOMER REFERENCE To ensure technical viability, the 2FA solution should have been implemented within at least one Bank in India and should be successfully operational for at least 3 years. LOCAL 24X7 SUPPORT The 2FA vendor should have a 24x7 support setup in India dedicated for APAC customers which provides: - Telephone and email based support would be available to the bank 24x7 - For assistance when troubleshooting the 2FA solution. - As an advisor for version handling of the 2FA solution - Make customer aware of releases, patches and current downloads. - Start working on a case within 4 business hours when a support case is logged.
SUMMARY
If you are currently evaluating two-factor authentication solutions for your internet banking, this guide provided the information and tools to help you make the right decision. We examined the role of two-factor authentication in addressing todays business opportunities and challenges as well as discussed the characteristics of an effective solution to ensure that the chosen solution is convenient enough for broad consumer adoption while keeping costs down and security risks minimal.
BUYERS CHECKLIST
Feature Out-of-band authentication using SMS/email Mobile-based software tokens Transaction signing software tokens PKI appliance for digital certificates Web-based tokens Endpoint assessment Endpoint abolishment Secure access gateway OATH compliant Prohibits session-saving cookies Fully automated token distribution Provide secure web-services API Unified audit logs, alerts, reports Indian banking customer reference Local 24x7 support Yes No
Copyright 2009 PortWise. All rights reserved. The PortWise logo and all PortWise product names and slogans are trademarks or registered trademarks of PortWise. Other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies.