guard against card fraud   c a r d - f r a u d . c o m  | home | consumers | merchants | banks, issuers & processors | about us |    
identity theft credit card fraud

        User Authentication: Know who you're letting in

Unauthorized access to banking website is becoming a larger and larger issue. The process used to authenticate the user online (also known as user verification, authentication mechanism, authentication system, authentication scheme or authentication protocol) is at the center of this problem. Many web sites continue to design authentication mechanisms without background or experience in security issues or fraud patterns – leading to weak authentication schemes.

This article is divided into 3 sections:
1. Choice of Authentication Mechanism
2. Types of Break-ins
3. Common Authentication Mechanisms

CHOICE OF AUTHENTICATION MECHANISM
The choice of authentication mechanism depends on 4 main factors:

Appropriate level of security: The strength of the user authentication mechanism should be based upon the risk associated will unauthorized access. There are usually trade-offs between security, usability and performance. For example, a financial website should have a stronger user authentication protocol than a blog. A commercial account may have a stronger authentication than a personal account. Some sites require an additional user verification step prior to accessing certain functions.

User Acceptance: The user verification process should be easy to navigate and non-confrontational. Users are often discouraged when required to install plug-ins or move through multiple pages in order to be authenticated.

Deployability: The authentication system should use technologies commonly available in today’s browsers and servers. Certain authentication processes require the browser to perform computations before transmitting the information to the server. Computation mechanism, such as javascript, could be blocked by the user, limiting the portability of these authentication schemes. For high-value accounts it is sometimes feasible to issue hardware, such as security tokens, to increase security. In other cases, a software only deployment is required.

Performance: Stronger security protocols are generally impact performance negatively. The average latency (ms/request) is used to measure performance of different authentication processes.

next>

| home | consumers | merchants | banks, issuers & processors | about us |