What is Mutual Authentication?
You may have heard the term “mutual authentication” tossed around in reference to IT infrastructures or data security. You know you need mutual authentication, but do you know what it really is or what it does? If you don’t, no need to worry. We’ve broken mutual authentication down into an easy-to-understand overview.
In the data security world, authentication occurs when users must prove their identity to log onto a computer, network, or other secured area. There are several ways to do this, the most common being entering a user ID and password. Devices that share information with other devices must also verify one another through what is called mutual authentication. Mutual authentication is the process by which devices communicate with each other securely, guaranteeing the authenticity of the information being transmitted, preventing attackers from tampering with the data, and ensuring that data is not stolen or sent to an unauthorized device. There are a wide range of devices that require digital authentication, such as ATMs, laptop computers on corporate networks, government communication devices, retail point of sale terminals, and many more.
Similar to how a person might present a driver’s license to identify themselves, devices verify one another’s certificates to authenticate other devices. Digital certificates contain secured identifying information such as the name or address of the owner of the device. These certificates are issued by a trusted certificate authority, which must be compliant with regulatory standards and housed within secure, independently audited environments. Certificate authorities manage the entire certificate lifecycle: creating new certificates, monitoring certificate expiration dates, and certificate revocation. These certificates are used to form the basis of a secure Public Key Infrastructure (PKI), as they also contain asymmetric key pairs used for encrypting, decrypting, signing, and validating exchanged data.
Secured devices are required to have digital certificates, but owners of the devices can choose where and how they get their certifications. Companies can obtain and use their own certificate authority server to sign their own devices. This option is typically chosen by larger, enterprise-class companies, or manufacturers who produce secure devices.
Option two is to use a third party to sign devices. Smaller organizations that do not frequently need digital certificates may choose this option over the cost of purchasing their own certificate authority. The third choice is to request that the device be digitally signed by the manufacturer that built the device. By having the device be signed at the time of production, organizations do not have to delay the deployment of their device while they seek to obtain a certificate for it.
For more detailed information on how mutual authentication works, certificate authority servers, or the digital signing process, read our Certificate Authority Server case study, which details how Nautilus Hyosung, a global ATM manufacturer implemented our Certificate Authority Server to secure their entire cryptographic infrastructure.