Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a communications link authenticate each other. In a network environment, the client authenticates the server and vice-versa. In this way, network users can be assured that they are doing business exclusively with legitimate entities and servers can be certain that all would-be users are attempting to gain access for legitimate purposes. Mutual authentication is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce.
With mutual authentication, a connection can occur only when the client trusts the server's digital certificate and the server trusts the client's certificate. The exchange of certificates is carried out by means of the Transport Layer Security (TLS) protocol. If the client's keystore contains more than one certificate, the certificate with the latest timestamp is used to authenticate the client to the server. This process reduces the risk that an unsuspecting network user will inadvertently reveal security information to a malicious or insecure Web site.
Fraudulent e-mail messages may still appear in a user's inbox but even if the user clicks on a dubious link, mechanisms will prevent data input to the resulting Web page. Similarly, an Internet user cannot disclose authentication credentials to untrusted Web sites visited during the course of casual Internet surfing, even if a conscious attempt is made to do so. Some mutual authentication solutions split transmitted and received data into multiple channels, complicating the task of a malicious hacker. Once a site has been identified as hostile, the user's computer can be blocked from visiting it or using its features thereafter.
To illustrate, suppose an unsuspecting online bank customer or retail consumer is directed to a Web site created for the purpose of phishing. In that situation, mechanisms will prevent the input of critical data such as PINs (personal identification numbers), passwords or Social Security numbers unless a trusted connection has been established to the satisfaction of both the user's computer and the network server. A well-designed mutual authentication solution also protects against other forms of online fraud such as man in the middle attacks, shoulder surfing, Trojan horses, keyloggers and pharming.
Mutual authentication should not be confused with two-factor authentication, a security process in which the client provides two means of identification to the server, such as a physical token and a password. For optimum security, mutual authentication can be used in conjunction with this and other countermeasures such as firewalls, antivirus software and anti-spyware programs.