What is Mutual authentication?
Def#1:
The process of two principals proving their identities to each other.
Def#2:
Mutual authentication or two-way authentication refers
to two parties authenticating each other suitably. In technology terms,
it refers to a client or user authenticating themselves to a server and
that server authenticating itself to the user in such a way that both
parties are assured of the others' identity.
Typically, this is done for a client process and a server process without user interaction.
Mutual SSL provides the same things as SSL, with the addition of
authentication and non-repudiation of the client, using digital
signatures. However, due to issues with complexity, cost, logistics,
and effectiveness, most web applications are designed so they do not
require client-side certificates. This creates an opening for a
man-in-the-middle attack, in particular for online banking.
As the Financial Services Technology Consortium put it in its
January 2005 report, "Better institution-to-customer authentication
would prevent attackers from successfully impersonating financial
institutions to steal customers' account credentials; and better
customer-to-institution authentication would prevent attackers from
successfully impersonating customers to financial institutions in order
to perpetrate fraud."
Def#3:
Mutual authentication is when two parties both require proofs of
identity before conducting business. In an e-Commerce transaction, for
example, both the client browser and the web site would prove identity
to the other party when the browser connects.
In the current secure Internet environment, using SSL, it’s common
for only the web server to present a certificate that binds its
identity to the conversation. When everything works properly, this is
handled between the browser and the server, transparent to the browser
user. When there are problems, naive users may go past error messages
and work in an insecure web environment. Mutual authentication would
provide more controls, including authentication of the browser client
to the server.
Mutual authentication will not only prevent hijacking and
man-in-the-middle attacks but may also prevent phishing attempts from
being successful, and other forms of Internet fraud.
|