What is Mutual Authentication?
Mutual authentication is really site or host authentication to the user combined with user authentication to the site. Site authentication is already provided by SSL. Unfortunately, many sites ask users to log into non-SSL sites and users rarely check SSL certificates for validity. Fraudulent websites can use self-issued SSL certificates to fool users or generate a fake SSL ‘key lock’ and position it over the key location in the browser. SSL site authentication is clearly broken.
The Risk of MITM attacks
Multi-factor authentication systems that lack site authentication are susceptible to man-in-the-middle attacks. A real world example is a recent phish attack against a Swedish bank that used one-time, non-time bound passcodes delivered via a scratch pad. Users were directed to a fake website and asked to log in. Each time they tried, they were rejected and asked to use the next code. The attackers were gathering the passcodes. MITM attacks can be automated to a high degree. For example, a fraudulent site could accept a time-bound one-time passcode and immediately use it to log into the bank within the time allowed. Only strong, cryptographically secure mutual authentication can stop MITM attacks.
How WiKID handles Mutual Authentication
WiKID uses a hash of the server certificate stored on the authentication server to perform site authentication. When the user requests an OTP, the hash is also sent to the token client. Before presenting the user with the OTP, the token client fetches the certificate from the website, hashes it and compares it to the retrieved hash. If the hashes match, the URL is presented as validated and the default browser is launched to that URL. This method leverages the security and investment in SSL certificates and provides a consistent session and mutual authentication method to the user.
WiKID’s Mutual Authentication system provides these benefits:
- ”SSH-esque” validation of the server certificate
- No reliance on cookies or images, and not susceptible to DNS attacks
- Only WiKID offers site, user and transaction authentication in one package
- Simple to update the stored SSL certificate hash
- Supports self-issued and expired certifictes
- Consistent user experience - no falling back to ‘20 questions’