Security, authorisation, identity, and confidentiality are key considerations in any information-driven system, organisation, or society. The issues of verifying access credentials, restricting access based on pre-set criteria, and maintaining the confidentiality and integrity of personal information are pertinent across a variety of scenarios. These include online banking, access to financial institutions’ systems as a user, signing in to a mobile web site that holds personal data, and so on.
Organisations address security issues, such as — viruses, Trojans, phishing, etc. — using a variety of means including Unified Threat Management (UTM) and Intrusion Detection Systems (IDS). But today, four of five information security breaches happen internally. Security statistics reveal that on an average, 30 hours are spent resolving identity theft problems per victim — at a cost of almost $6,500. In fact, identity theft is the fastest-growing white collar crime today.
Techno Brain’s solution uses two-factor authentication, which goes a step beyond traditional systems by mapping the physical identity of the user to the server handling an authorisation request. Identity is established based on something the user has — such as a physical token — and something he/she knows, such as a password. It is more difficult for an impersonator to gain access to both of these than to either alone.
The two-factor authentication system provides for several types of tokens:
A physical device unique to each user — a “hard token” — which generates a new password every 90 seconds. The password is based on a randomised algorithm, so it cannot be guessed.
It provides an application for smartphones, where the user enters a PIN to generate a token. The token depends on the PIN as well as the phone’s International Mobile Station Equipment Identity (IMEI) number.
For desktops and laptops, the application generates a token based on a PIN that the user enters. The token depends on the MAC ID of the computer, so it is unique.
Tokens can also be generated via SMS.
When a username is sent to the authentication server requesting a token, the application generates a one-time password (OTP) and sends it to the user’s registered mobile number via SMS.
Tokens of any of these types can be used to gain access to a system, application, or data. Examples include disk encryption, critical enterprise applications, data centre infrastructure, or even just email. Requests for tokens sent to the authentication server contain all relevant information - IP address, date, time, and location. Each request may be approved or denied. Users of the authentication system cannot see the value of the token sent out to the end user.