The Issue – Identity Theft
Identity authentication is the process of examining the genuineness of a claimed identity. In the case of a website authenticating the identity of its user, the typical approach is requesting the user to supply the user's login ID and a secret password supposedly only known to the user and the website. However, the increasingly rampant identity theft activities have made the traditional password authentication inadequate. The common technique used is "phishing", where users are tricked to divulge their passwords. There are also reported cases of "man-in-the-middle", where the user's login session is hijacked.
The impact of identity theft could be any of the following:
- Loss of confidential information, if the stolen account grants access to confidential personal or business information.
- Financial losses, if the stolen account grants access financial-related transactions such as Internet banking or online stock trading.
Firstly, the solution used as a countermeasure to identity theft should be effective against both the common attacks such as phishing and also the advanced attacks like man-in-the-middle.
Ease of Implementation
Next, the solution should be easily integrated with the existing the website and practical to be deployed to large number of users with minimum efforts. Also, the solution should require minimal user involvement and if possible, totally transparent to the users.
Lastly, the solution should be cost-effective even for large scale deployments to thousands or millions of users. It should also minimize both initial investments and ongoing operation and maintenance costs.
TheGRID – Stop Identity Theft
TheGRID is a user-end device identification and authentication solution commonly used for the following purposes:
- Two-factor authentication for additional validation for logins or transactions
- User device identification and restriction to deter unauthorized account sharing
TheGRID implements two-factor authentication using the user's device as the additional proof of user's identity.
Two-factor authentication is the introduction of "something the user has" as the additional proof of identity to complement the existing proof based on "something the user knows" (the password). This additional proof could be anything that is owned by or in possession of the user, and has previously been made known to the website through a registration process.
Zero physical deployment can be achieved by rephrasing "something the user has" to "something the user already has"! Since it is something that is already with the user, no additional physical item needs to be delivered to the user.
By registering the set of devices used by the user to access the website and associating the set of devices to the user's login ID, two-factor authentication is achieved by uniquely identifying the user's device and verifying it with the list of registered devices for that particular user. The device registration process can easily be incorporated seamlessly into a website's existing login workflow.
TheGRID implements mutual authentication by providing users with a friendly tool to identify a known genuine website.
The centre of attention on web authentication has normally been the user authentication performed by websites. However, one often overlooked aspect of web authentication is the website authentication by the user. In fact, the successes of recent phishing attacks owe a great deal to the inability of users to distinguish between genuine websites and the fraudulent website replicas. TheGRID addresses this very important issue which is typically not addressed by some other alternative approaches. Mutual authentication is also known to be effective against the "man-in-the-middle" attacks.
This is an optional feature normally implemented in the second phase of TheGRID deployment after the two-factor authentication has been fully deployed.
Security With Total Convenience
TheGRID secures online businesses without compromising user convenience. Customers will continue to enjoy the same login experience while the underlying two factor authentication works in the background.
Control and Confidence
TheGRID allows customers to easily and completely control where they can access the website from. Users will have confidence that no one else can access their online accounts even if their login credentials have been stolen.
Website Identity Assurance
TheGRID performs stringent website verification so that users can now be assured of the true identity of the website they visit with just a casual glance, and will less likely be victimized by online scams and fraudulent websites.
TheGRID solution can be quickly and easily deployed over the web to the masses with virtually zero deployment cost.
TheGRID solution requires no maintenance. There is no end user security device to maintain.
Low Cost of Operation
TheGRID solution requires virtually no operating cost by utilizing your existing web infrastructure.
How It Works
Two Factor Authentication
TheGRID will only allow access from devices that has been registered by the user. The registration process is simple and straightforward with just one step required of the user – to perform a quick email verification.
The registration workflow is outlined below and also illustrated in the diagram below:
- User logs in at a device that has never been registered by the user.
- TheGRID detects that this device is not one of the registered devices and hence denies access. However, an email will be sent automatically by TheGRID to the user's email address that has previously been registered with the website. The website displays a page informing the user about the login failure and requests the user to check the verification email.
- The user clicks a hyperlink on the verification email which triggers TheGRID to verify the email link and registers the user's current device.
- TheGRID redirects the user back to the web portal. Any subsequent login from this registered device should be successful without any intervention, as described in the previous section.
The user login experience will not change with the introduction of TheGRID. The redirection to TheGRID server is automatic and happens in just a very brief moment. Once the user has entered the existing login ID and password, the next screen seen by the user is the main screen of the website. Please note that the user is not required to perform any additional steps for the two-factor authentication to take place. Device identification and verification takes place in the background without any user's intervention.
TheGRID solution comes with an additional component called TheGRID Authenticator that can optionally be deployed to the users in the form of a web browser add-on to enable mutual authentication.
TheGRID Authenticator is configured with technical information about the genuine websites. Whenever a user visits a known website, a quick but stringent website identity verification process will take place to ascertain the integrity of the website. Fraudulent websites and man-in-the-middle systems will always fail the website verification process.
In addition, TheGRID Authenticator will only submit the two factor information to a trusted genuine website after a series of stringent website identity verification to prevent the security information from falling into the wrong hands. Hence, TheGRID solution is not vulnerable to phishing or even the man-in-the-middle attacks.
TheGRID Authenticator is an optional feature and should only be implemented when deemed necessary. It should be deployed in a later project phase after the standard two-factor authentication has been fully deployed.