Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Tricerion Strong Mutual Authentication

Tricerion’s Strong Mutual Authentication (SMA) Server technology provides an example of how keypad technology can be used to achieve website authentication. SMA is a server-based solution in which organisations install an SMA server behind their firewall alongside their existing web application servers. The SMA server incorporates innovations that provide security against phishing attacks.[46]

One of these innovations is keypad personalisation. This works in the following fashion:

  • The user is prompted to enter an account / user name; and
  • The application server passes the account name to the Tricerion SMA server. The SMA server then generates an image map in the form of a personalised keypad for the specific user. The keypad is presented on the user’s screen. The user enters their password by use of the keypad (they cannot enter their password directly using a keyboard – they must use the keypad – avoiding the danger of keystroke loggers being used to intercept the password). The positions of the various characters on the keypad are randomly varied each time the user attempts to log-in.

Authentication of the website to the user is possible because the SMA server stores personalised keypad data for each user. This personalised data allows each user to specify display properties their keypad should exhibit, including background colour, border design, fonts and font size. A fraudulent party does not have access to this personalised data and so even if they try and emulate the keypad display, it is unlikely they will be able to create a keypad that adheres to each user’s individual display preferences. If the keypad displayed to the user varies in appearance from the one they expect to see, they are immediately alerted to the possibility the website they are visiting is spoofed.

SMA supports the use of passwords consisting of either alphanumeric characters or pictures. Users can accordingly define an individual set of symbols (characters or pictures) that is to be displayed to them each time they attempt to log in. Only a subset of these symbols will actually form the user’s password, and the positions of the various symbols will vary at each log in attempt. Thus, if a spoofed website uses a keypad to display symbols that the user does not expect to see, they are again alerted to the possibility that they are being subjected to a phishing attack. Additionally, it is quite likely that the subset of symbols displayed on a spoofed keypad to the user will not contain all the symbols that are part of the user’s password, making it impossible for the user to disclose their password to a fraudulent party.

An example of a personalised keypad that may be presented to an end-user

Tricerion’s implementation of keypad technology is based on another innovation known as triangulation. Triangulation describes a communication paradigm which provides additional resistance to man-in-the-middle attacks. Triangulation works by moving from traditional models of communication between the user and the online service to a trialogue in which communication occurs between the user, online service and a third party server. Communications are thus segmented into multiple, discrete channels so that even if a fraudulent party is able to intercept data transmitted along two of the three channels, they will not be able to make use of it unless they can also compromise the third channel.

[46] Tricerion, Account Hijacking Prevention with the Tricerion Strong Mutual Authentication (SMA) Server, 2005, <>.