Other Security Mitigations and Tips
Mutual authentication
This involves the service provider authenticating itself to the client by providing information known only to the service provider and the client at the time of transaction. The purpose is to mitigate the risk of phishing by showing the client that the service provider has information that the fraudulent website would not have access to. There are many variants with this theme but each should include displaying information to the client that only the service provider and client would know. Examples include:
- the last transaction date and time;
- a pre-determined shared secret;
- displaying a pre-selected graphic; or
- displaying the full name and address of the client as a greeting.
The use of a server certificate can also validate the hosting server (by the client's browser) before logging onto the service provider's website. An additional benefit in using server certificate during user authentication is the encryption that can be provided, so that the credentials of the user will be protected from interception in transit.
|