Mutual authentication

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other at the same time. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication. Typically, this is done for a client process and a server process without user interaction.

Mutual SSL provides the same things as SSL, with the addition of authentication and non-repudiation of the client authentication, using digital signatures. When mutual authentication is used the server would request the client to provide a certificate in addition to the server certificate issued to the client. Mutual authentication requires an extra round trip time for client certificate exchange.[citation needed] In addition the client must buy and maintain a digital certificate. Due to these issues with complexity, cost, logistics, and effectiveness, most web applications are designed so they do not require client-side certificates.

Mutual authentication is typically used only when extra level of security is needed, especially in financial transactions between organizations. As the Financial Services Technology Consortium put it in its January 2005 report, "Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."

See also


External links