Strong Authentication for Financial Services: PTDs as a Compromise between Security and Usability

Currently the most popular attacks to the E-Banking Web applications target the authentication systems relying on the single-side client authentication, showing their definitively ineffectiveness for financial services. Furthermore, most of the Web authentication systems have been developed on the classic username/password mechanism or One time Password systems using a single channel, either mobile or Web, generating an authentication system at inadequate level, enforcing a false perception of security, as phishing shows. The two factors authentication is not the panacea, but mitigates many threats, especially when combined with a Personal Trusted Device, as the popular smartphones represent. As a rule of thumb, the adoption of authentication systems to provide services B2C is driven by its ease-to-use more than the robustness of the adopted security system. For this reason, the proposed solution represents a system which tries to preserve the usability and to strengthen the authentication, with a combined Web/ mobile authentication system.