When it comes to mobile authentication, passwords are usually considered the weak link; but, moving to a device-based scheme has been hampered by the complexity of today’s enterprise landscape. In a bring-your-own-device (BYOD) world, standardizing security protocols to cover a wide range of form factors and built-in security methods is complicated at best.
At BlackHat USA 2014, Authentify has introduced xFA Smart Choice, an extension to its xFA device-based multifactor authentication service. True to its name (the “x” stands for “X number of factors”), it allows the prioritization of available authenticators to accommodate enterprise environments that have multiple types of mobile devices with disparate systems, like fingerprint readers, voice biometrics, gesture-based keypad or other device specific authenticators available. Businesses can take a programmatic approach to automatically selecting or prioritizing the authentication factors a user may or may not have available on their mobile device.
"The barrier to mass-market deployment of stronger authentication boils down to the impact on the user experience," said John Zurawski, vice president at Authentify, in a statement. "After all, security and convenience have historically had an inverse relationship. But we are turning that equation on its head by using device-based security. Smartphones are packed with features that can be used for strong authentication. What we have done is make that experience as simple, automated and friction-free for mobile users as SSL or HTTPS is on the web."
xFA uses an encrypted, out of band communication channel to effectively protect against man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks, where information is intercepted between the end user and log-in to the online account or service. For instance, the Emmental attack is a variation of an MITM offensive where communication with an online banking application is redirected to servers the hacker controls. The twist is that it also includes the redirect of an SMS message on the end user's mobile device, the second authentication factor in the two-factor schema. So, the required OTP is also delivered to the hackers.
Authentify's xFA is an app and online service that turns mobile devices into the equivalent of a multi-function security token targeted for BYOD applications. Coupled to biometrics, knowledge-based authenticators and finger swipe gestures, xFA also provides server-to-server class digital certificate-based security and optional QR code scan logins. Meanwhile the Smart Choice API gives enterprises and e-commerce providers, or their users, the ability to automate device-based multifactor authentication as needed for a given transaction.