Attacks/Breaches
8/16/2012
08:56 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Authentify Rolls Out New Mobile And PC Out-Of-Band Authentication Service

2CHK out-of-band mobile or PC service for two-factor authentication replaces weak password security

CHICAGO, August 15, 2012 – IT and Internet industry experts are increasingly calling for two-factor authentication to replace weak password security as each passing week brings more high profile data breach incidents:

Ø Dropbox is adding two-factor authentication, after a stolen password was used to access an employee’s Dropbox account containing a document with users’ email addresses

Ø The head of Google’s Webspam team Matt Cutts is recommending Google users turn on Google’s two-factor authentication

Ø Wired reporter Mat Honan, in his excellent blog analyzing his own victimization in an “epic hack,” admits that had he used two-factor authentication with Gmail he might have interrupted the chain of events the hackers used

Ø LinkedIn’s June data breach reportedly made some 6.5 million passwords public on a Russian hacker site, and the company now faces a $5 million-plus lawsuit

Authentify wants to reassure its current and potential clients that its new 2CHK app and out-of-band (OOB) authentication service provides an effective, convenient and inexpensive solution for any company seeking to protect its online clients using two-factor authentication.

Here’s how it works. The end user activates a small, convenient app on their smartphone or PC and links it securely to their company login account or identity directory using voice or SMS-based OOB authentication. Once this is done, the 2CHK app is “always on” and maintains a secure channel to Authentify’s authentication service.

The first key benefit is security. 2CHK complements IT or online and mobile banking security by providing a completely separate app and OOB channel that protects against stolen passwords and, due to layers of encryption, cannot be defeated by man-in-the-middle and man-in-the-browser attacks.

The second key benefit is convenience. Customers see transactions in the 2CHK app and can confirm or reject them easily. This contrasts with traditional OOB implementations that send a one-time password (OTP) number using a phone call or text message, which the customer then re-enters separately in the login window, or online or mobile bank app.

Another important advantage is this gets consumers more directly involved in monitoring their own accounts using their own mobile devices. This imperative was underscored in the banking industry by a recent survey showing that 82 percent of the time, customers report fraud to the bank before the bank hasdetected it.

“The threats to online environments and digital property have evolved dramatically in the last few years,” according to Andy Rolfe, the chief technology officer at Authentify. “End users and the defenses on which they rely to evolve as well – or they fail. It’s a progression as old as time.”

“Out-of-band authentication can save your digital assets, so to speak,” added John Zurawski, vice president at Chicago-based Authentify. “Both NIST and the FDIC have cited the strength of our type of phone-based out-of-band authentication for protecting government and financial accounts. As more of our lives become virtual, more is at risk. Many folks lock up their important papers and valuables in the real world. Stronger protection in our cyber world simply makes sense.”

Authentify introduced telephone-based OOB authentication to the market and today has the most industry experience and expertise in deploying solutions and providing services. A proven and effective countermeasure recommended by federal authorities, regulators and leading consulting firms, OOB authentication is used by banks and ecommerce providers to protect against man-in-the-browser attacks designed to steal login credentials or hijack online sessions. The capability to add OOB safeguards within multiple layer security models fulfills industry best practices as recommended by the FFIEC, Gartner Research, Inc., the FBI, the U.S. Secret Service and NACHA. Authentify recently participated in proposals submitted to the U.S. government’s National Trusted Identities in Cyberspace initiative hosted by the National Institute of Standards (NIST).

About Authentify, Inc.

Authentify, Inc. is a leading global provider of telephone-based Out-of-Band (OOB) authentication services. With a client list that includes five of the world's top ten banks, three of the five largest ecommerce websites and two of the top four insurance companies in North America, Authentify has the most experience and expertise in deploying OOB solutions in the industry. These multi-factor authentication (MFA) services enable organizations that need strong security to quickly and cost-effectively add two-factor or multi-factor authentication layers to user logons, transaction verifications or critical changes such as adding an ACH payee, resetting passwords or changing contact information. The company's patented technology employs a service-oriented message architecture and XML API to seamlessly integrate into existing security processes. Authentify markets primarily to financial services firms that need to protect their clients' online accounts, corporate security professionals managing access control, and emerchants who want to limit fraud on their sites.

For more information, visit Authentify at: www.authentify.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tracy-ITW
50%
50%
Tracy-ITW,
User Rank: Apprentice
8/19/2012 | 4:59:59 AM
re: Authentify Rolls Out New Mobile And PC Out-Of-Band Authentication Service
What ever happened to biometric authentication? It worries me that losing any single object (say my smartphone), would prevent me from access, or worse, recovering access, to services/resources requiring login/id.

I've got 10 fingers (I know there are those with less, and rarely, more), plus a face that NSA is supposed to be able to recognize, plus a voice that is usually ok. Two of three ought to be pretty good...

Plus, everyone is going to be using different second factors for a while, so it's not much better than having to remember lots of user names and passwords: I still have to remember to carry the necessary objects with me.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web