Heartbleed Attack Proves the Need for Out-of-Band Authentication for Changes to Online Accounts or Transactions

Any Two-Factor Authentication Workflows That Do Not Employ an Out-of-Band Communication Are Vulnerable to Heartbleed

        Print
| Source: Authentify

CHICAGO, April 11, 2014 (GLOBE NEWSWIRE) -- The Heartbleed attack proves that the need for out-of-band authentication to verify that a legitimate account owner is the one making changes to online accounts or transactions has never been more critical. Effective out-of-band two-factor authentication would protect end users when password files are breached or intercepted using a Heartbleed type vulnerability.

In fact, the entire Heartbleed episode shines a light on the weakness of a password-based login protection scheme originally devised when computers and computer terminals were kept in locked rooms with raised floors and a 56k modem was considered 'fast.'

"Passwords are not an invalid 'something-you-know,' but the way the industry uses passwords is flawed," according to Peter Tapling, president and CEO of Authentify Inc. "Requiring a longer, more difficult password string makes for a poor user experience. Further, many password reset functions use an email link to reset the password. If a fraudster has all of your bank account login information, they likely have your email login as well, making email ineffective as a second authentication channel. The barriers to hijacking an account protected only by a password are just too low. "

Out-of-band authentication can protect users and enterprises from these types of threats, but only if done properly. The Heartbleed attack breaches the supposedly secure HTTPS Internet communication between a website and an end user and is designed to steal passwords and login credentials or hijack online accounts. However, adding out-of-band authentication that employs a voice telephone call or a separate secure data channel via an app on a smart device effectively thwarts hackers' efforts to capitalize on Heartbleed. 

Authentify developed voice channel protection of this type in the late 1990s and first demonstrated it at the RSA Conference in 2001. Authentify introduced an app dedicated to out-of-channel verification at Finovate in 2011.

"We're confident Authentify workflows tied to two-factor authentication for login or transaction verification will protect our customers' end users from Heartbleed," offered Tapling. "Security issues aside, relying on usernames and passwords alone to protect valuable online content is a poor business practice. As we have seen too many times, the breach of any one password repository exposes accounts at many businesses." 

Heartbleed represents significant risks that go beyond an organization's consumer-facing website to threaten the enterprise systems as well. The use of Web-based portals and cloud services that rely on secure SSL connections for customer resource management, distribution, supply chain and payments introduces the risk of a breach to back office systems.  

"I expect we will see a movement to add out-of-band authentication processes to activities once considered a lower risk so they are better protected," said Tapling.

About Authentify

Authentify provides multi-layered telephone based user authentication services that can be controlled by enterprise policy, while offering a very simple, intuitive and consistent end user experience. Authentify helps some of the most prominent online brands reduce risk, drive revenue and keep their customers engaged and safe.

Authentify employs a patented out-of-band authentication process providing a message-based architecture that seamlessly integrates with existing online processes developed for e-business, secure information access, or the distribution of security credentials. With its multi-language compatibility using landlines, mobile phones, tablets and other smart devices Authentify's service offers a truly portable authentication solution with worldwide reach that leaves no end users behind.

For more information, visit http://www.authentify.com

Deb Montner
Montner & Associates, Tech PR
203-226-9290
dmontner AT montner.com