June 2, 2005
Seen at Interop: Anakam's Cellphone-based Two-Factor Authentication
E-commerce authentication is a bugaboo. Users typically log in with just a user ID and password, and these are easily compromised with phishing attacks and password guessers. The result is the current flood of e-commerce fraud and identity theft, which dampens users' enthusiasm for e-commerce and represents a huge liability for e-vendors. One fix to the problem is to use two-factor authentication -- a second credential that a user must supply in order to log into his or her e-commerce account. The second factor could be biometric or some sort of token, such as a smartcard or one-time-password generator. Alas, biometric readers are not commonplace, and distributing tokens is too cumbersome and expensive.
Anakam LLC has a clever solution to the problem in its Whisper product: Employ a token nearly everyone has already, the ordinary cell phone.
When a user logs into a Whisper-enabled Web site, Whisper generates a unique one-time access key and transmits it to the user's registered cell phone address via an e-mail or SMS message. The user then completes the e-commerce login by entering this key into the logon page, which permanently authorizes that particular computer to the site for a pre-determined time interval.
This approach blocks phishing attacks, because the phisher does not know the victim's registered cell phone number. It thwarts password guessers by changing the effective password with every login, guaranteeing that the password can't be brute-forced by systematic guessing.
Whisper isn't expensive either -- it can be deployed at the cost of just pennies per user in large applications like online banking, but costs only a few dollars per user in smaller deployments, making it practical for even specialized e-commerce applications.
Posted by Mel Beckman at June 2, 2005 9:26 AM
