Online Security : Two-factor Authentication (2FA)

Security on the internet, especially when it comes to online transactions, has always been a major concern. Passwords can be stolen, phished or simply lost and hence, experts have long been trying to create a better way for authenticating one’s identity on the web. One of the ways in which security can be upped is by introducing another layer of security over and above the username and password. This is known as two-factor authentication (2FA). It has proven itself quite effective for averting unauthorized transactions. The way 2FA takes place is pretty simple – a hardware token or a card sized device generates a code that users need to enter along with their passwords on web sites. Earlier net banking web sites that had opted for 2FA security authentication would provide these hardware devices to their customers.

VeriSign, a company otherwise best known for SSL certificates and its check sign, has brought 2FA to a new form factor – the mobile phone. Rajiv Chadha, VP, VeriSign India, gave us a demo of this format at a special briefing in Mumbai. The process is quite simple. Users have to register once and acquire a unique credential ID. This number is locked to a J2ME application that can be downloaded for free on any compatible phone. Further, this credential can be linked to a number of user ids on different sites that use VIP (VeriSign Identity Protection). The app generates a six digit code that changes every 30 seconds. The credential is registered with a relying party web service - and every time you initiate a login session to your web service, in addition to entering your easy to remember userid and password, you also enter the six-digit code from your credential as a second password. This service is also available via SMS.

Many web sites such as PayPal and EBay have this as an optional layer of security. “In fact PayPal in the UK has already made this mandatory,” says Chadha. So the next time you’re logging in to even your favorite social networking site, don’t be surprised if you find yourself reaching for your phone. Even if it’s non-mandatory for now, users should probably opt for this service voluntarily. With this added layer of security, a hacker will not only have to steal your password, but physically reach into your pocket to steal your phone too – quite an unlikely situation. There are currently about 70 web sites where VIP is available. To get a full list head over to www.vipmobile.verisign.com/wheretouse.v. In India, several brokerage and banking web sites are already in talks with VeriSign to implement this soon.