While making a shopping online on Amazon Indian portal – I was to login and follow through Two Factor Authentication (TFA) process. In the USA, TFA is widely adopted by financial organization or online banking, but when it comes to making purchases online – we are still stuck with static password type of authentication that is prone to misuse. Although the death of the password is certain and we may not be there yet. Till that time, Passwords are the very much needed tools for keeping an identity intact and access safe. Irrespective of how often we read about hacking and cyber-crimes, a weak password keeper only assumes that an attacker will never find him. Static passwords offer the fundamental access guarantee, but they are not fool proof mode of ensuring user safety over the internet. Security breaches on websites indicate that static passwords are not enough, and the rule of internet security is that it needs to keep evolving.
The dynamism of a static password at the very basic level requires two things to be secure: length and complexity (without factoring in accesses made via dedicated device where user credentials are remembered by the system). Users goof up, no matter how often we talk about sticking to strong passcodes, using formulae with symbols, numbers, uppercase and lower case, passwords are difficult to keep track of.
When it comes to accessing enterprise platforms, organizations have to force a structural thought to better authentication mechanism. Two Factor Authentication (TFA) is a proven, reliable technology that acts as a shield against cyber criminals trying to crack password and hack user account. TFA typically uses any two of following three factors to secure user identity and bar access of unscrupulous users:
- Knowledge – Static password and Username
- Possession – OTP received on mobile/email account
- Biometric – Fingerprints, pupil impressions
Quite often single sign-on solutions bring in One-Time Password (OTP) generation process when it comes to allowing an access to highly sensitive applications. As a security token, the OTP, is an embodiment of TFA forms. It allows creation of a layered security mechanism where it is unlikely for an attacker to crack past two distinct layers, namely static password access and OTP.
This puts light on debate over OTP and password-free cyber world often lead to discussion over security and instilling confidence in users. Globally many e-commerce websites layer access with a user name, static password and OTP, especially in case of financial transactions. OTP authentication generates highly secure one-time passwords ensuring that only properly authenticated users are authorized access to critical applications and data.
One time passwords ease the problems of identity thefts and fraudulent transactions by providing the end-users with on-time usable password applicable for a short time span. It is an event based, generation of instant password that defend against ‘man in the middle attacks’. It is a cost effective alternative to expensive digital certificates based authentication mechanism, in an arrangement where what is at stake is relatively at a lower side. OTP, along with a static passwords or digital certificate-based authentication mechanism, brace users and businesses against cyber-attacks and identity thefts.
It provides protection to on-line bank accounts, internet based transactions, corporate networks and systems containing sensitive data. It paves way for a strong authentication systems that address the limitations of static passwords by incorporating an additional security credential, (read OTP) to protect network access and end-users’ digital identities. This adds an extra level of complexity for unauthorized access and creates a shield against phishing attacks (attempt to trick users into handing over their password information).
OTP frees users from creating and maintaining easily deciphered static passwords in favor of randomly generated, combined with a personally selected PIN. These systems can be easily deployed and managed in the cloud with no new hardware using only the customer’s existing smartphone, tablet or laptop.