Definition

mutual authentication

Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a communications link authenticate each other. In a network environment, the client authenticates the server and vice-versa. In this way, network users can be assured that they are doing business exclusively with legitimate entities and servers can be certain that all would-be users are attempting to gain access for legitimate purposes. Mutual authentication is gaining acceptance as a tool that can minimize the risk of online fraud in e-commerce.

With mutual authentication, a connection can occur only when the client trusts the server's digital certificate and the server trusts the client's certificate. The exchange of certificates is carried out by means of the Transport Layer Security (TLS) protocol. If the client's keystore contains more than one certificate, the certificate with the latest timestamp is used to authenticate the client to the server. This process reduces the risk that an unsuspecting network user will inadvertently reveal security information to a malicious or insecure Web site.

Fraudulent e-mail messages may still appear in a user's inbox but even if the user clicks on a dubious link, mechanisms will prevent data input to the resulting Web page. Similarly, an Internet user cannot disclose authentication credentials to untrusted Web sites visited during the course of casual Internet surfing, even if a conscious attempt is made to do so. Some mutual authentication solutions split transmitted and received data into multiple channels, complicating the task of a malicious hacker. Once a site has been identified as hostile, the user's computer can be blocked from visiting it or using its features thereafter.

To illustrate, suppose an unsuspecting online bank customer or retail consumer is directed to a Web site created for the purpose of phishing. In that situation, mechanisms will prevent the input of critical data such as PINs (personal identification numbers), passwords or Social Security numbers unless a trusted connection has been established to the satisfaction of both the user's computer and the network server. A well-designed mutual authentication solution also protects against other forms of online fraud such as man in the middle attacks, shoulder surfing, Trojan horses, keyloggers and pharming.

Mutual authentication should not be confused with two-factor authentication, a security process in which the client provides two means of identification to the server, such as a physical token and a password. For optimum security, mutual authentication can be used in conjunction with this and other countermeasures such as firewalls, antivirus software and anti-spyware programs.

This was last updated in January 2008
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchFinancialSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: