Confident Multifactor Authentication provides a completely new and highly secure way to protect online businesses and their customers from fraud and Zeus-in-the-Mobile (Zitmo) attacks, by securing the second factor and verifying that it is in fact the legitimate user in possession of the mobile device and not another person who may have stolen the user’s phone or is surreptitiously intercepting the authentication text messages. The Confident Multifactor Authentication process remains completely out-of-band from the web session and is more secure than displaying an authentication code in plain text, as is done in an SMS text message or soft token.
How Confident Multifactor Authentication Works:
1. When a user first registers with the website or online service, they select a few categories of things they can easily remember — such as dogs, flowers and cars.
2. When out-of-band authentication is needed — such as when the user is attempting to transfer money to another account — an application on the user’s smartphone displays a randomly-generated grid of pictures that has a one-time authentication code encrypted within it.
3. The user identifies the pictures that fit their previously-chosen, secret categories by tapping the appropriate pictures on the smartphone display. By identifying the correct pictures, the user is essentially reassembling the one-time authentication code that was encrypted within the grid of images.
“Businesses are struggling to find a way to deploy strong authentication on public-facing websites without excessively burdening their customers,” said Curtis Staker, Chief Executive Officer, Confident Technologies. “It’s a step in the right direction that more websites are deploying two-factor authentication for users, but the common approaches including SMS and soft tokens, are not very secure. More than 160,000 mobile phones are lost or stolen each day in the US alone and even more are infected with malware — giving someone other than the owner physical or virtual possession of the second factor. When authentication codes are clearly displayed in plain text in an SMS message or as part of a soft token on the phone, they add virtually no security because anybody with physical or virtual possession of that second factor device can read the code and use it to authenticate a fraudulent transaction.”