THE ISSUE – IDENTITY THEFT
Identity authentication is the process of examining the genuineness of a claimed identity. In the case of a website authenticating the identity of its user, the typical approach is requesting the user to supply the user’s login ID and a secret password supposedly only known to the user and the website. However, the increasingly rampant identity theft activities have made the traditional password authentication inadequate. The common technique used is “phishing”, where users are tricked to divulge their passwords. There are also reported cases of “man-in-the-middle”, where the user’s login session is hijacked.
The impact of identity theft could be any of the following:
- Loss of confidential information, if the stolen account grants access to confidential personal or business information.
- Financial losses, if the stolen account grants access financial-related transactions such as Internet banking or online stock trading.
Firstly, the solution used as a countermeasure to identity theft should be effective against both the common attacks such as phishing and also the advanced attacks like man-in-the-middle.
Ease of Implementation
Next, the solution should be easily integrated with the existing the website and practical to be deployed to large number of users with minimum efforts. Also, the solution should require minimal user involvement and if possible, totally transparent to the users.
Lastly, the solution should be cost-effective even for large scale deployments to thousands or millions of users. It should also minimize both initial investments and ongoing operation and maintenance costs.
THEGRID – STOP IDENTITY THEFT
TheGRID is a user-end device identification and authentication solution commonly used for the following purposes:
- Two-factor authentication for additional validation for logins or transactions
- User device identification and restriction to deter unauthorized account sharing
TheGRID implements two-factor authentication using the user’s device as the additional proof of user’s identity.
Two-factor authentication is the introduction of “something the user has” as the additional proof of identity to complement the existing proof based on “something the user knows” (the password). This additional proof could be anything that is owned by or in possession of the user, and has previously been made known to the website through a registration process.
Zero physical deployment can be achieved by rephrasing “something the user has” to “something the user already has”! Since it is something that is already with the user, no additional physical item needs to be delivered to the user. By registering the set of devices used by the user to access the website and associating the set of devices to the user’s login ID, two-factor authentication is achieved by uniquely identifying the user’s device and verifying it with the list of registered devices for that particular user. The device registration process can easily be incorporated seamlessly into a website’s existing login workflow.