What is Transaction Authentication?
Transactional authentication is equivalent to digitally signing a transaction with a one-time passcode. For example, when a user wishes to make a suspicious transaction, such as a one-time, large payment to a new payee, they should enter a second one-time passcode to validate the transaction.
The Risk of Session Hijacking Trojans
Even with both session and mutual authentication methods strengthened, a session hijacking trojan could empty a bank account. There are examples of session-hijacking trojans in the wild. Once the SSL session is established with the bank site, they activate and unbeknownst to the user, execute fraudulent transactions.
Why WiKID is uniquely capable of handling Transaction Authentication
It is critical that the transactional authentication be cryptographically distinct from the session authentication mechanismor the attacker will try to get the user to re-authenticate for the session. A simple notice saying that the “Connection was lost, please re-authenticate” will get most users to enter a new one-time password.
This requirement highlights a key difference between shared-secret systems and the WiKID Strong Authentication System. WiKID can support multiple authentications domains with no reduction in security. One WiKID domain can be for sessions and another for transactions or a user could have more than one key pair on separate devices. For example, they might have a session token on their PC and a transaction token on their cell phone.
WiKID’s Transaction Authentication provides these benefits:
- Cryptographically distinct from session authentication
- Thwarts session-hijacking trojans
- Users can use the same PIN or a different PIN
- Users can use same WiKID Token client or a different one
- Only WiKID offers site, user and transaction authentication in one package