Nowadays as we know, technology is improving and businesses corporations, consumers, marketers and governments are moving forward to using it and depend on it. While all these kinds of users have been moved forward to using this technology, so all their transactions work go through it and specially through E-mails to communicate with each other. Even though not only the E-mail that used to communicate, there are so many ways to transfer information or some other things need to be done through this huge technology. But with this huge moved, it’s still not safe to use it without any kind of protection and security such as authentication to recognize if those massages or transfers or requests coming from the right and trusted sides. So they have come out with electronic authentication as the best way to make sure it’s the legible and trusted sides in this process.
An authentication is a piece of information used to authenticate and verify and identify a person’s identity on appearance or in a procedure for security and safety purposes and with respect to individually granted access rights. It’s like to create or prove something (or/and someone) as authentic and stated that made by or about the subject is true. This method involve proving the distinctiveness of a person, tracking the source of a work of art, making sure that packaging and tagging is belong to a product, ensure that a computer program can be trusted.
It is the method of determine whether someone or something is, in fact, who or what it is stated to be. In all public and private computer networks (including the Internet), electronic authentication is usually done through the password login. Awareness of the password is assumed to make sure that the user is authorized. Every user registers firstly, using an assigned or self-declared password. On each subsequent use, the user must know and use the previously stated password. The weak point in this scheme for communications that are important (such as money transfer) is that passwords can frequently be captured, by mistake discovered, or forgotten.
For this cause, online business and a lot of other communication require a stricter electronic authentication procedure. The use of digital certificates issued and verified by a Certificate Authority (CA) as part of a public key infrastructure is considered likely to become the standard way to perform electronic authentication on the Internet. Also considering E-mail and SMS authentications are ways to ensure those transactions.
What is E-Mail Authentication?
Email Authentication is a way to give messages of the e-mail processing system with sufficient certifiable information, so that recipients would be able to recognize the nature of each incoming message automatically. There are four main key players of email. Firstly, the authors or originators of the e-mail. Secondly, the sender or agent who first puts the e-mail on the public Internet. Thirdly, the receiver or agent who receives the e-mail from the Internet and last but not least, the recipients who are the persons intended to read the e-mail.
Transmission Control Protocol and IP address registries TCP/IP ensure that the sender’s IP address is automatically will be verified by the receiver. So, there is no need for the verification of the author and sender information that is eventually saved in the relevant headers. So, it is actually very easy for a spammer to create and duplicate the same copy of an e-mail from example.com. This is including a long complex sequence of headers and authentic logo in the body of an e-mail, after that change the content to send readers to a website that appears to be genuine, but it is actually a phishing scam which designed to catch and collect names, passwords, and credit card numbers.
IP addresses cannot be used to recognize in any sources of any fake emails within the headers. Moreover, in order to fake headers being used to throw off identification attempts, it is very common for the genuine headers within the email to reference a system insulated from the faker.
E-mail “authentication” is very much simplifies and automates the process of identifying senders. After identifying and verifying that a declared domain name has been authenticated or has authorized the sending Mail Transfer Agent (MTA), it will be easier to catch the fakes, reject fakes, and block e-mail from those spamming domains. There is also chances to “white-list” e-mail from trustworthy domains, and avoid content-base filtering, that always loses some important emails in the flood of spam.
Some ISPs have been quite successful with the method above, but other ISPs don’t really care to do so. The number of spam in all email traffic is over 88%, so this caused come from ISPs who are not responsible to make a move or further steps.
Sender Policy Framework (SPF) and SenderID only allow the IP address of the outbound MTA. It is unsure whether the PRA associated with the SPF record was intended, and thereby secured when the outbound MTA is shared by other domains which are why sensitive domains should take additional safety measures. While the outbound MTA not being allowed when there is a strict SPF record can block much of the fake now common, it is never secure to expect that the MTA being authorized and allowed represents a form of authentication.
How SPF and SenderID work is to have the domain publishes what might be a large list of IP addresses that see MTAs as they authorize and allow it to carry their emails. This works as some of a path in registration, but it does not balance quite well since it also merges both IPv4 and IPv6 addresses. All the incoming e-mail has an IP address that is very difficult to fake and the email headers have a lot of domain in it, and many of them are in commands from the sender’s SMTP server. There are different methods in which of these names use as the sender’s domain name. Most of them can be faked, but there is 1 thing that cannot be faked which is a domain name that held by a DNS server for that section of the internet.
The easiest and most commonly installed authentication scheme begins with a turnaround DNS lookup of the connecting IP address. If there is no answer, it’s a secure expect that the address is not a lawful sender. If there is an answer, a forward DNS lookup of that answer validates the sender if it returns the connecting IP address. In other terms, it looks up for the name of the connecting IP address, and looks up for the IP address of that name, and they must match.
It seems SMTP, or Simple Mail Transfer Protocol is still being the protocol designed to move e-mails from server to server that based on trust. Anyone submitting a message can claim to be anyone else, with little or no liability.
There are some extra details that concerned an e-mail forwarder. Forwarders carry out a useful service in allowing you to have one simple stable address, even if you change jobs or ISPs. List servers perform alike purpose, forwarding e-mail to many receivers on behalf of one sender. Forwarders cause no problem for an end-to-end validation method as long as the signed message is not customized.
SPS doesn’t work straight behind the edge or frame of the receiver as well as SenderID, so both have the similar limitation in this part. SPF forwarders can rewrite Return-Path (MAIL FROM) which can be compared like mailing lists to third parties.
Additional Sender: or Resent-Sender: header will be asked to add in for SenderID, forwarders to third parties and mailing lists. The former is already the case for lots of mailing lists, but other forwarders also avoid something that can modified mail as well to Received-timestamp line compulsorily.
What is SMS Authentication?
Nowadays it is big issues to online companies to accurate identify the customer that is using the services. Online fraud has been growing over the years to alarming records. Even if there are some other ways to improve the security of online transactions, but sometimes there is one way to be implemented and could reduce the risk of transactions.
Electronic mail is the main keys for communication along with Internet users. Despite the fact that, spam mails harmed the value of electronic mail unnecessary commercial information and also virus mails such as malignant codes and various form of worthless information. Hence, it is basically persistent to develop a method to block spam mails. Nowadays, under development process which comes up with a method that an electronic mail sender will be able to receives P&C information via SMS (Short Message Service) and also create a private key/public key which is used in the Domain Key method, and connect with the existing Pretty Good Privacy (PGP) method and, the massage is Encrypted/Decrypted and real to email sender. Furthermore, this method validates the sender in type of mail transmission, it will be able to prevent spam mail and make it hard to fake emails.
SMS validation is as easy as just sending a SMS message to the customer’s hand phone that will obtain products. Customer will have to enter a code as they received this message to process payment. It’s very easy to do, just need to come up with a valid hand phone number to decrease the number of fraud as well as provide alternative way to ease possibility of charge back claims as in following reason:
- The cell phone number is linked to a unique person that made the contract with some carrier.
- The country and area code could be matched with the delivery information provided by the customer, and a mismatch could give you a hint to a possible fraud.
- Could call the number (if call costs are not an issue, like local calls) and talk directly with the customer.