Mutual Authentication: Entrust IdentityGuard

Mutual Authentication Methods

Mutual authentication, also described as two-way authentication, provides organizations with a way to increase user confidence in the security of online transactions. It provides a mechanism to demonstrate the authenticity of a Web site to end-users. Mutual authentication also helps protect users from identity attacks that lead to transaction fraud.

According to the Financial Services Technology Consortium (FSTC), mutual authentication is a key component of online security:

"Mutual authentication is vital to bolstering consumer confidence and trust — consumers must be able to confirm authenticity of financial service providers."
Source: Financial Industry Recommendations and Requirements for Better Mutual Authentication, June 12, 2006, FSTC

As part of a layered security model tasked with protecting digital identities and information, the Entrust IdentityGuard versatile authentication platform is designed to provide organizations with several mutual authentication options. These mutual authentication techniques can be used in email or print communications, as well Web applications. Entrust IdentityGuard, which has one of the widest ranges of authentication capabilities on the market today, combines mutual and multifactor authentication for strong authentication in ways that best fit the user experience, minimizing the impact of improving security while increasing the confidence of online users.

Entrust delivers a range of options for adding mutual authentication, including:

  • Message & Image Replay: a unique, personalized shared secret is presented to the user — along with an image that was selected by the user — as a method of authenticating the validity of the communication
  • Security Grid Serial Number Replay: users are presented with the serial number from their unique security grid cards
  • Grid Location Replay: users are presented with values from specific coordinates on their unique security grid cards
  • Extended Validation (EV) SSL Certificates: An important level of a layered security strategy, EV SSL certificates, which were created in response to the growth of phishing and man-in-the-middle attacks, provide consumers with obvious trust indicators to authenticate the identity of site owners or operators

Entrust was instrumental in the CA/Browser Forum's development of EV SSL certificates to help with the mutual authentication challenge. Coupled with the latest in browser technology, it can add yet another layer of security to the online experience.

Message & Image Replay
If security grid authentication is not being used for two-factor authentication, Entrust IdentityGuard provides flexible options to achieve mutual authentication using image and message replay techniques. In this scenario, as part of the user registration process, a user selects or shares an image and message that is later shown to them during login. By personalizing the login with the selected image and message, the user recognizes that this information is only known to the legitimate site.

Whether the user chooses a picture from an online collection or uploads one of their own, it will be familiar and, thus, easier to recognize when it is not present.

If a phishing site attempts to capture sensitive user information including their password, the user is likely to notice the absence of this personalization information and abandon the Web session.

Each of these mutual authentication options are designed to replay information that the user has shared securely with the organization, or that is unique to the relationship the user has with the organization. This information should only be known to the user and the legitimate organization, making it possible for the user to confirm the Web site is authentic.

Security Grid Serial Number Replay
Security grid authentication not only provides a secure, cost-effective and easy way to authenticate users — it also provides built-in mechanisms for mutual authentication.

The Entrust IdentityGuard security grid cards provide different options for mutual authentication. The first mutual authentication option is based on the serial number of the grid itself. As shown in this example, each grid has a unique serial number that is known only to the issuer (your organization) and the user. As such, during login, this serial number can be displayed to the user before prompting for user authentication.

Before entering their password or grid challenge response, the user simply confirms that the serial number displayed on the Web site matches the one on their grid card. If it does, the user can be confident she is on your legitimate web site.

Grid Location Replay
Another mutual authentication method that can be leveraged with the grid card is for the replay of the data within specific grid coordinates. When displayed to the user, this coordinate information confirms that the site has specific knowledge of the contents of the user's grid and, therefore, must be legitimate.

Additional security measures can be taken to ensure that this information is difficult to harvest by fraudsters such as ensuring that the entries being replayed are obfuscated with non-machine readable characters.

Security grid serial number replay and grid location relay mutual authentication methods can also be used across channels including email communications or in printed literature.

Extended Validation (EV) SSL Certificates
A natural complement to Entrust IdentityGuard and a key component of a layered security strategy, Entrust Extended Validation SSL certificates — commonly known as "EV" certificates — contain safeguards to help prevent fraud attacks. When consumers use an EV SSL-aware browser, the technology will help users make smarter decisions of trust, such as the ability to verify the identity information of the owner of an EV certificate-protected Web site.

Good for Customers, Employees and Regulators
These mutual authentication methods significantly increase the user's defense against online identity attacks and make it difficult to perpetrate fraud against the organization. All these methods are recognized by government agencies — such as the FDIC, for example — and do not require the deployment of any hardware and software.