Two Party Authentication
Our project solves authenticaiton of services problem for small businesses. Is that really PG&E or Bank Of America who called your business to offer a new deal?
- Caleb Fenton (Research Lead, SentinelOne)--This is a problem worthy of solving. It seems like the solution would take the form of a best practice adopted by companies. If they need to call you, then they could setup some solution there, perhaps using a passphrase like you recommend, but it would be decentralized. And if they never need to call you, they should communicate that also.I like the idea of using an image that can be described over the phone.
- Brian Koref (Senior Director Information Security, Sage Intacct, Inc.)--You've done a great job representing a real problem in society. The challenge will be to change behavior and (more importantly) changing legislation to mandate corporations include a placeholder in the account to facilitate reverse authentication.Trust is key. Great job raising awareness
- Steve Trush (Deputy Director of Citizen Clinic, at Center for Long-Term Cybersecurity)--This is a very difficult project to solve and one that needs better solutions across multiple industries and more awareness / education. I would want you to explore using potential other ways of authenticating such as using a secret based on a device (generating random numbers) vs using two forms of "things you know". There are many approaches to addressing this issue that people are working on - training/education, machine learning/voice recognition, and handshakes using OTPs.This is a good dive into preventing these types of scams and would add an additional layer of protection. However, it does still leave potential for social engineering when a scammer is pressuring a consumer or business to provide info in case of emergencies.