Q: Is there a reliable way for banks or other sites to recognize you by the specific PC you are using?
A: This is called device identification. The idea is that the bank or retail Web site will try to capture a “fingerprint” of the unique hardware device that the consumer is using. For example, it will look at the type and version of the operating system, the patch level, what kind of browser is being used and so forth. Most of the big authentication suites include this functionality. But it shouldnt be relied on exclusively, because the device fingerprint is pretty easy to spoof unless youre doing encryption or install some kind of client software on the users system.
Q: What are the common ingredients in a consumer authentication software suite from one of the big security vendors?
A: Usually a suite will include device identification, risk analytics and some kind of identity proofing, but not necessarily the more recent forms of password hardening just mentioned. These suites were initially aimed at financial institutions, but now you increasingly see them deployed by online retailers as well. The three leading vendors are probably RSA, Entrust and Verisign. But then you also have smaller vendors providing point solutions that complement these suites, such as BioPassword and Bharosa, and lots of others. But some of the biggest online retailers like Amazon and eBay have historically rolled their own solutions in-house, just like the credit card companies did before them for risk analytics.
Q: Is digital watermarking still a reliable method of consumer authentication?
A: Digital watermarking is an older method used in consumer online authentication that is now somewhat deprecated, even though a lot of sites still use it. It was, or is, often used in conjunction with device identification. Once the Web site determines that your PC is the one it was expecting you to use, it displays a series of pictures and ask you to indicate the one you have previously selected. The aim is both to authenticate you and to let the target Web site prove that you are not being phished. However, digital watermarking is still subject to a man-in-the-middle attack, i.e., a fraudster could put a proxy site between you and the real Web site of your financial institution. In that case the man-in-the-middle would capture the images sent down from your banks site, observe which one you selected, and send that back to your bank. Neither you nor your bank would know the difference.
Q: Does password hardening or even full-blown device-based multifactor authentication eliminate the need for identity proofing?
A: Absolutely not! All of these methods are worthless without proper identity proofing at the time the password or token is originally issued to the consumer. Or, in the case of the keyboard biometric, at the time when your banks site first captures a sample of your typing. ID proofing is all about the organizational steps I take to prove that you really are who you say you are before I give you credentials. This is where a lot of financial institutions got it wrong. They didnt do proper ID proofing at the outset, and now they are finding that they have to go back and fix that.