Patented technology authenticates and encrypts every exchange of information, not just the first electronic "handshake".
Why Authenticating Once is Not Enough.
When you go into a bank to perform a transaction (like cashing a check), you are asked to authenticate yourself -- to prove who you are-- usually with a photo ID of some kind. Once you have done this, the teller has almost continual visual contact with you, recognizing you throughout the transaction by your appearance and voice; sometimes evenby asking for additional information. This uninterrupted personal contact serves as "continuous authentication", a clear indicator that you are really "you", without further need of showing ID.
What if ongoing visual contact was not possible? What if you passed your ID through a hole in a wall where the teller could not even see your face? After the initial ID check, how would the teller even know it was you who was completing the transaction? If you temporarily walked away (maybe getting a mint from the end of the counter), the unseeing teller could unwittingly hand your money through the hole to the next person in line, even if the once-authenticated "you" was not gone more than a few seconds. You can see by this somewhat extreme example that continuous authentication is critical to real-world security. One piece of ID seen one time is not adequate. Real security relies on many different factors presented at different times.
In the online world, where critical identifying traits like a person's mannerisms, face, hair style and color, clothing, and driver's license cannot be seen, authentication usually only happens once. Enter a username and password and, voila, you're into your bank account. "How convenient. My financial institution allows me to manage my accounts and pay bills online." Sounds great.
There is a problem. Hackers are very good at breaking into online sessions, and are willing to wait until you enter your username and password. They are willing to wait until you are authenticated. They are then willing to take direct control of your browser to hijack your session, stealing money, stealing credit, or stealing your identity. "How can they do this? I thought I was authenticated?" You were ... one time.
Potential threats to network security are expanding, and enterprise sand service providers continue to search for better solutions. Effectiveness for many common methods is outlined in the following chart.
Most authentication solutions combat only specific threats. Traditional methods typically authenticate only the first electronic "handshake""between two parties. RPM technology is the first to eliminate a wide array of security threats, including: phishing, pharming, man-in-the-middle attacks, keylogging, and session hijacking.
Until online sessions are protected with authentication technologies performing constant, mutual authentication, they will be exploited and your data will be compromised.
The obvious fix is to authenticate each party in a session by requiring a fresh credential with every transmission of data -- not just once in the session, but with every packet of data. The bad news (for other technologies, not RPM) is that they simply cannot do this! They all require too much of the user or too much computer overhead. Do you have a personal digital certificate? Would you want to create and enter a new and different password on every page? Using other technologies, that's what it would take to stop hackers.
Why Does the Credential Need to Change?
Let's take the same case in the bank above.
First, you were asked for identification, probably a driver's license or Social Security number. After a minute or two, would it help make you more secure if they asked you again for your license or SS number? How about after another two minutes?
The first point to make here is that getting the same information over and over during the same session would not heighten security. The only thing that would strengthen the authentication process is if the credential or "secret key" that is required changes each time. The second point is that the credentials being offered must not be able to be forged or stolen.
To positively identify a legitimate customer, to stop phishing and online identity fraud, an authentication system must have the following features:
- Continuous, mutual authentication and encryption - this ensures that every transmission (i.e. packet) for both the customer and the institution are authenticated and encrypted.
- Progressive secret - to protect against "stolen" usernames, passwords, and long-lived digital certificates, your authentication credentials must change with every transmission and not be able to be guessed, re-used, forged, or counterfeited.
2factor's Real Privacy Management™ and SecureWeb™ solutions are designed for this purpose.They are the only solutions for truly secure communications, and the only ones that defeat all known online identity theft attacks.