General discussion


Raise your ROI with Two-factor Authentication. But What Option?

By Chinqin ·
Two-factor authentication is quite a hot topic in the InfoSecurity, RSA Conference, CeBit... these several years. Before that, it seems password is sufficient to be the only authentication way, as long as the length and the complexity of the password are great. However, to lower the possibility of being attacked, monthly update, uppercase/lowercase letters, numbers, alphanumeric characters, even the foreign characters, more and more factors are needed when accessing sensitive systems and data. And unfortunately, most users are bad at selecting and memorizing a good secure password. How to innovate and improve the access control? Information security vendors, says Feitian Technologies Co., Ltd.( so forth, they offer network security solutions that will both enhance the security and also introduce the convenience by using a short easy-to-remember password. These solutions are PKI and or OTP based two-factor authentication.

What is Two-factor Authentication?
Two-factor authentication relies on the following items:
1. Something you have, such as a smart card ,USB Token or OTP Token
2. Something you know, such as a password/personal identification number (PIN), which enables the user to get the authority of accessing the application of smart card, USB Token or OTP Token

PKI:PKI stands for Public-Key Infrastructure, is a framework that provides security services to an organization using public-key cryptography. These services are generally implemented across a networked environment, work in conjunction with client-side software, and can be customized by the organization implementing them. An added bonus is that all security services are provided transparently - users do not need to know about public keys, private keys, certificates, or Certification Authorities in order to take advantage of the services provided by a PKI. (From Entrust)

OTP:OTP stands for One-Time Password, is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced. (From Wikipedia)

To help the readers better understand two-factor authentication, here I use products from Feitian Technologies Co., Ltd. called ePass2000 - PKI based USB Token, FTSmart, and ePass OTP to explain their respective usage for Online Banking. In addition, the web security of online banking here is adhering to the industry standard measures, including:
 Secured online sessions, indicated by a URL address beginning with https:// or a padlock symbol in the lower right hand corner of your browser
 128-bit SSL (Secure Socket Layer) encryption
 Session time-outs, which automatically logs you off your Online Banking session after a period of inactivity

Part I ePass2000 PKI based USB Token (

ePass2000 is a USB token, compact and portable, designed for authentication, verification and information encryption services, and support E-mail Encryption, Digital Signing and SSL using Internet Explorer, Outlook, Outlook Express, Netscape Communicator or any software product based on the MS CAPI or PKCS#11 standards. In addition, ePass2000 is remarkably versatile and Feitian's SDK may be used to create many other user defined applications. (

1. Each user of online banking is assigned an ePass2000 together with an initial PIN from banks
2. Each ePass2000 has a globally unique serial number, this is important and can only be used by the designated user
3. Users sign-on banks online and go to activation page to activate and register the ePass2000 before the expired date and download the digital certification into the ePass2000 with the initial PIN(during the processing of downloading the digital certification, ePass2000 generates the public key and private key by itself)
4. Once register, users will be required to keep ePass2000 inserting on the computer in order to submit the digital signature and continue processing financial transactions (Internal transfers, wire transfers, bill payments and account openings) and accessing cash management services (Online investing and Trade Services)
5. Users who sign-on banks online without ePass2000 will be restricted to view-only account access

ePass2000 uses smart card technology to enable the generation of public keys and private keys in the hardware. Private keys are never exposed to the PC environment.

Part II FTSmart All-in-one Solution (

The online banking two-factor authentication usage of FTSmart is similar to ePass2000. It is only the interface and cost, which makes the difference. And how do we look at All-in-one? A smart card can include the magnetic stripe, contactless capability, use the USB port with a card reader. And also a smart card can be designed for electronic purse to meet the demand for public utility, says transportation, gas, water and electricity, in addition to the traditional bank card capability.

Notice: USB Token can also have the contactless capability or biometrics support, and more, can include Giga flash memory for storing documents and files.

Part III ePass OTP Token (

ePass OTP Token is a chip-based authentication token offering total mobility with maximum flexibility. ePass OTP Token is the core component of Feitian Technologies' ePass OTP Authentication System, the two-factor authentication for VPN, LAN and strong Web access control. (From Feitian Technologies Co., Ltd.)

1. Each user of online banking is assigned an ePass OTP from banks
2. Each ePass OTP package will be labeled with a globally unique serial number, this is important and can only be used by the designated user
3. Users sign-on banks online and go to registration page to register before the expired date
4. Once register, users will be required to enter the password generated by the ePass OTP (press the button on ePass OTP then display) in addition to the User ID and static PIN each time when sign-on the secure online session, in order to continue processing financial transactions ( Internal transfers, wire transfers, bill payments and account openings) and accessing cash management services (Online investing and Trade Services)
5. Users who sign-on banks online without ePass OTP password will be restricted to view-only account access

I think ePass OTP solution is helpful to minimize the risk of phishing, Trojan, shoulder surfing and other common types of online fraud.

Of course, two-factor authentication is also necessary for MNC(MultiNational Corporation), Government, eBusiness and so on, whose system demands for higher security. To raise ROI, can two-factor authentication solution satisfy you and your customers? And what kind of solution is better? Or Multi-factor authentication is your desired. Present your queries, the answers may be coming soon in my next article.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums