Tuesday, April 1, 2008

matrix card - super cheap yet secure T-FA solution

For those who don't know what T-FA is, I recommend you guys take a look at the Two-factor authentication article on Wikipedia:
An authentication factor is a piece of information and process used to authenticate or verify a person's identity for security purposes. Two-factor authentication (T-FA) is a system wherein two different methods are used to authenticate. Using two factors as opposed to one delivers a higher level of authentication assurance. Using more than one factor is sometimes called strong authentication.
The first factor, and most of the time the only factor, people use to authenticate their customers is username & password which is something they know. Then to implement T-FA, you must have another authentication mechanism that's based on either something the customers have or something they are.

So what is a matrix card? That's something you as the service provider give your customers and use it as the second factor. Each customer will be mapped to one unique matrix card, then in order to be authenticated, they must prove that they have that particular card. Still confused? Take a look at this picture:

Why uses matrix card, instead of other "sth the customers have" solutions, e.g. RSA SecurID or smart card? Because it's cheap, both for you and your customers.

The last time I checked, a complete RSA SecurID solution for about 1,000 customers cost almost $70,000. With that amount of money, I can give for free each of our 250,000 customers a matrix card and still have enough bucks to book a 7 days business class trip to Singapore. Another reason is it's easy to develop yourself. It took us just two weeks from nothing to have a fully working prototype. In fact, one of the reason I choose matrix card is I don't like the idea of using third-party proprietary software for something as critical as the authentication system.

In addition, when you step in the customer's shoes, you will see that it makes no sense whatsoever if you force them to pay 30-40 bucks for the hardware token. Of course, some customers are willing to pay, but most of them are not. This is enough to ruin the solution since you can not merely protect 5% of your customers and ignore the rest.

So matrix card is definitively the way to go. It's a simple, easy to use, cheap to deploy yet secure solution.

If you read my previous entry, you probably recognize my last sentence and the title of this entry are kinds of snake oil. Secure against what, secure from whom? You may want to ask these questions. Let me state clearly that two-factor authentication can not help protecting your customers from man-in-the-middle phishing and/or trojan attack.

The only solution is not to authenticate the customer, but to authenticate the transaction. You must not make any assumption whatsoever about the identity of the one who's committing the transaction regardless of how strong you authenticate her.

If there's one general precept of security policy that is universally true, it is that nothing coming from the the other side of the communication can be trusted. Validate the data or you got BOF, SQL injection, and/or fraud transactions. I'm talking about an adaptive fraud detection system that can learn and analyze each customer behaviour, monitor all the transactions and alert whenever there's something abnormal going on. I'll probably write more about this later.

But T-FA with matrix card, of course, is not totally useless. At least it's a cost effective mechanism to reduce the risk of identity thieves to an acceptable level for now.


Anonymous said...

Matrix cards hardly play the role of "something you have" since they are easily reproduceable (copyable), in contrast to, say, smartcards.



kimberly said...

buy viagra
viagra online
generic viagra

Archie Pavia said...

very nice posting. Great looking patterns for kids i will have to tell everyone I know about it. Thanks for your article, quite useful piece of writing. -- Concerts in new york city