Ever since the Reserve Bank of India (RBI) made it mandatory in 2009 for banks to offer two factor authentication for Internet banking, both public and private sector banks have been on their toes to deploy this additional authentication factor for online transactions. To this end, several authentication methods are available such as onetime passwords (OTPs), virtual keyboards, dual passwords using tokens and biometrics, and public key infrastructure (PKI) or digital signatures.
Adoption of PKI technology for enterprise-wide applications is still a distant dream. However, looking at the volume, criticality, risk of breach of trust and cost associated with the risk of online content, the private sector is also bound to go the PKI way. This is because no other existing technology provides the comprehensive security that PKI technology does today. As a matter of fact, PKI technology is the only security technology which has legal sanctity. This makes it ideal, but the difficulty in implementation—primarily owing to the lack of ability in technology providers—is keeping organizations away from it.
Despite this, banks and other organizations have strong reasons to go in for a PKI-based second factor of authentication. Let’s look at the scenarios in which PKI technology can be an apt method for two factor authentication.
The choice of PKI technology depends on the threat perception of the function you are trying to protect. Scenarios which require legal sanctity are the primary candidates for PKI-based two factor authentication.
When organizations want to be doubly sure about user identity, the function’s risk perception is quite high, or when the identity and data is to be shared between multiple applications (federated identity), PKI technology will be a good choice. A third-party transfer from your bank account using a Net banking facility is another example of PKI-based two factor authentication’s application.
In cases where the same authentication is to be propagated to multiple different applications, PKI technology might come in handy since it’s a standards-based mechanism and is accepted worldwide. This might help resolve interoperability issues which some other authentication mechanisms (such as OTP) may pose.
PKI is primarily a process-based implementation over and above the complexity of technology. There can be many comparative criteria, but again, this depends on what the organization wants.
Ease of use: PKI technology would fail here, but an image-based authentication would pass.
Ease of implementation: PKI technology fails again. However, RSA or time-based tokens also have equal levels of difficulty in implementation, even though vendors try to peddle it with promises of ready APIs and other such features.
Level of security: PKI technology will top everything else, even biometrics. This is because many attacks are possible on biometrics methods, but not on PKI.
Legal sanctity: PKI technology passes the legal front while its other competitors fail.
Apart from the above mentioned aspects, you should keep the following reasons also in mind.
1) Which support organization do you bank on? The best of planes can crash if given in the hands of an inexperienced pilot. Similarly, we have come across implementations where the PKI private key creates a hash but is sent in plain text mode via the network. In such cases, no matter how much a vendor may boast that the application is PKI-enabled, it can be cracked with a simple packet capture tool.
2) How easy is it to administer and manage the PKI solution? Certain vendors are offering a PKI-based solution as a service where enterprises don’t need to bother about key management.
3) How scalable is it? What kind of concurrency support does it provide?
4) Is the solution time- and field-tested? Does it comply with known standards and best practices?
5) What kind of media is supported for the storage of private keys? These include options like smart cards and crypto-tokens.
Steps for adopting PKI-based two factor authentication
1) Define the requirements.
2) Perform vendor analysis. An in-depth analysis of vendor capabilities can be done by asking the vendor to help you do a critical analysis of the applicability of PKI technology.
3) Experiment with a proof of concept. Make the vendor implement this on a part or a page of the application.
4) Negotiation and selection.
5) Implementation and integration.
6) Define digital signature certificate distribution mechanism.
7) User training and DSC distribution.
Challenges in PKI technology implementation
Change management will be a big challenge during PKI implementation. People have varied misconceptions and expectations about PKI technology, perhaps because it does put extra burden on end users for managing their certificates and tokens. At the same time, even technical people may have unrealistic ideas about the security provided by PKI technology. Managing all these expectations with correct knowledge propagation might become a challenge. To sum up, PKI technology will be the right choice when backed by the appropriate ecosystem (infrastructure, legal recognition, etc).
About the author: Ruchir Karanjgaokar is project manager (applications) at (n)Code Solutions, a division of GNFC. He has been involved in several PKI implementations.
(As told to Dhwani Pandya.)
This was first published in September 2010