08:56 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Authentify Rolls Out New Mobile And PC Out-Of-Band Authentication Service

2CHK out-of-band mobile or PC service for two-factor authentication replaces weak password security

CHICAGO, August 15, 2012 – IT and Internet industry experts are increasingly calling for two-factor authentication to replace weak password security as each passing week brings more high profile data breach incidents:

Ø Dropbox is adding two-factor authentication, after a stolen password was used to access an employee’s Dropbox account containing a document with users’ email addresses

Ø The head of Google’s Webspam team Matt Cutts is recommending Google users turn on Google’s two-factor authentication

Ø Wired reporter Mat Honan, in his excellent blog analyzing his own victimization in an “epic hack,” admits that had he used two-factor authentication with Gmail he might have interrupted the chain of events the hackers used

Ø LinkedIn’s June data breach reportedly made some 6.5 million passwords public on a Russian hacker site, and the company now faces a $5 million-plus lawsuit

Authentify wants to reassure its current and potential clients that its new 2CHK app and out-of-band (OOB) authentication service provides an effective, convenient and inexpensive solution for any company seeking to protect its online clients using two-factor authentication.

Here’s how it works. The end user activates a small, convenient app on their smartphone or PC and links it securely to their company login account or identity directory using voice or SMS-based OOB authentication. Once this is done, the 2CHK app is “always on” and maintains a secure channel to Authentify’s authentication service.

The first key benefit is security. 2CHK complements IT or online and mobile banking security by providing a completely separate app and OOB channel that protects against stolen passwords and, due to layers of encryption, cannot be defeated by man-in-the-middle and man-in-the-browser attacks.

The second key benefit is convenience. Customers see transactions in the 2CHK app and can confirm or reject them easily. This contrasts with traditional OOB implementations that send a one-time password (OTP) number using a phone call or text message, which the customer then re-enters separately in the login window, or online or mobile bank app.

Another important advantage is this gets consumers more directly involved in monitoring their own accounts using their own mobile devices. This imperative was underscored in the banking industry by a recent survey showing that 82 percent of the time, customers report fraud to the bank before the bank hasdetected it.

“The threats to online environments and digital property have evolved dramatically in the last few years,” according to Andy Rolfe, the chief technology officer at Authentify. “End users and the defenses on which they rely to evolve as well – or they fail. It’s a progression as old as time.”

“Out-of-band authentication can save your digital assets, so to speak,” added John Zurawski, vice president at Chicago-based Authentify. “Both NIST and the FDIC have cited the strength of our type of phone-based out-of-band authentication for protecting government and financial accounts. As more of our lives become virtual, more is at risk. Many folks lock up their important papers and valuables in the real world. Stronger protection in our cyber world simply makes sense.”

Authentify introduced telephone-based OOB authentication to the market and today has the most industry experience and expertise in deploying solutions and providing services. A proven and effective countermeasure recommended by federal authorities, regulators and leading consulting firms, OOB authentication is used by banks and ecommerce providers to protect against man-in-the-browser attacks designed to steal login credentials or hijack online sessions. The capability to add OOB safeguards within multiple layer security models fulfills industry best practices as recommended by the FFIEC, Gartner Research, Inc., the FBI, the U.S. Secret Service and NACHA. Authentify recently participated in proposals submitted to the U.S. government’s National Trusted Identities in Cyberspace initiative hosted by the National Institute of Standards (NIST).

About Authentify, Inc.

Authentify, Inc. is a leading global provider of telephone-based Out-of-Band (OOB) authentication services. With a client list that includes five of the world's top ten banks, three of the five largest ecommerce websites and two of the top four insurance companies in North America, Authentify has the most experience and expertise in deploying OOB solutions in the industry. These multi-factor authentication (MFA) services enable organizations that need strong security to quickly and cost-effectively add two-factor or multi-factor authentication layers to user logons, transaction verifications or critical changes such as adding an ACH payee, resetting passwords or changing contact information. The company's patented technology employs a service-oriented message architecture and XML API to seamlessly integrate into existing security processes. Authentify markets primarily to financial services firms that need to protect their clients' online accounts, corporate security professionals managing access control, and emerchants who want to limit fraud on their sites.

For more information, visit Authentify at:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/19/2012 | 4:59:59 AM
re: Authentify Rolls Out New Mobile And PC Out-Of-Band Authentication Service
What ever happened to biometric authentication? It worries me that losing any single object (say my smartphone), would prevent me from access, or worse, recovering access, to services/resources requiring login/id.

I've got 10 fingers (I know there are those with less, and rarely, more), plus a face that NSA is supposed to be able to recognize, plus a voice that is usually ok. Two of three ought to be pretty good...

Plus, everyone is going to be using different second factors for a while, so it's not much better than having to remember lots of user names and passwords: I still have to remember to carry the necessary objects with me.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.