Mutual Authentication: Prevents Phishing Attacks?

One of my credit card companies just implemented Mutual Authentication for their web site. I think this is a fantastic idea since it can help to protect users from phishing attacks. The hard part will be training users to not enter their credentials unless they see the tokens they selected.

Continue reading to see how Juniper implemented Mutual Authentication.

After Juniper implemented this new feature I logged in and had to select an image and a phrase:

Now every time I login, after I enter my username, I should see the image and phrase I selected:

I really like the concept of this. But I think it could be implemented in such a way that users wouldn’t have to understand the concept of Mutual Authentication and why they shouldn’t enter their password if they don’t see the image/phrase they selected. What if the password was a combination of a strong, user-selected token, and something the user has to identify from an image they selected, that only they would know. For instance if the image I selected was a map of the United States and the website asked me to enter my password, plus, select on the map where I got married, then phishing is more difficult. To make this work there would have to be a few different picture question options that I selected when I first setup the mutual authentication. Other ideas for picture question passwords:
“Circle your brother in the picture above”
“Pick your favorite color in the picture above”
“Select your favorite flower in the picture above”
“Select the style of car you drive in the picture above”

What do you think? Would this sort of thing help prevent phishing attacks?

  • It is an excellent idea !!! … yahoo has implemented something similar for their services and I find it to be a really cool feature

  • Interesting idea, but I don’t think so, as there is no cryptographic basis for assuring that the image is actually being presented by a man-in-the-middle.

  • James Ward

    Hi Nick,

    Can’t that same statement apply to the current way that mutual authentication is implemented on my credit card’s site? Can you think of any way to provide that cryptographic basis? Thanks.

  • YOO

    very interesting , indeed

  • Pingback: People Over Process » Blog Archive » Security questions and cheese-o 3+ “factor” authentication()

  • I agree that the operation of the program needs to be user friendly. At least, in that it has to be seamless for the user.