Multi-channel, Multi-level Authentication for More Secure eBanking
Date: August 2010
Publication: Information Security South Africa Conference 2010
Source 1: http://icsa.cs.up.ac.za/issa/2010/Proceedings/Research/10_paper.pdf
Abstract or Summary:
For decades, traditional authentication methods have proved weak in protecting users and organizations from various different online attacks. These include brute force password cracking, phishing, sniffing, active man-in-the-middle attacks, and session hijacking.
The introduction of the one-time-password (OTP) and multichannel authentication (MCA) has proven ability to protect users' online accounts from being compromised. However, without careful thought being given to implementation details, these authentication methods can still have weaknesses that could allow real-time attacks to succeed. This paper presents guidelines on how multi-channel authentication should be implemented so that it adequately protects users' online accounts. The proposed structure can be used in personal banking or corporate banking applications and has the potential to withstand the most commonly deployed attacks.
In order to evaluate the proposed MCA and test user acceptance, a prototype web-application was implemented. Our evaluation of the MCA concept using this prototype with Omani participants showed that 61% of total 42 participants who evaluated the application are satisfied with the level of security offered by multi-channel authentication. 66% of them believed that it was easy to perform transactions. We found that most participants were not familiar with the vouching code (the fourth authentication factor proposed by RSA) implemented as part of the study. However, 69% stated that they found this feature convenient when the primary channel was unavailable. Finally, 79% of respondents agreed to recommend the multi-channel authentication mechanisms to others if implemented by their bank.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.