What is Mutual Authentication?
You may have heard the term “mutual authentication” tossed around in reference to IT infrastructures or data security. You know you need mutual authentication, but do you know what it really is or what it does? If you don’t, no need to worry. We’ve broken mutual authentication down into an easy-to-understand overview.
If you’ve ever said to a friend, “Is this real? Pinch me,” you’ve ask them to authenticate an experience. The act of pinching sends a message, pain, to a receiver, you, that the experience is real.
In the data security world, authentication occurs when users must prove their identity to log onto a computer, network, or other secured area. There are several ways to do this, the most common being entering a user ID and password. To confirm the authenticity of communication between devices, in a sense, the devices must “pinch” each other in a process called mutual authentication.
Mutual authentication is the process by which devices communicate with each other securely, guaranteeing the authenticity of the information being transmitted, preventing attackers from tampering with the data, and ensuring that data is not stolen or sent to an unauthorized device.
Similar to how people might present driver’s licenses to identify themselves, devices verify one another’s identities using what’s called a digital certificate. Digital certificates contain identifying information such as the name or address of the device owner.
The certificates are issued by a trusted certificate authority device, which must be compliant with regulatory standards and housed within secure, independently audited environments. Certificate authority servers manage the entire certification lifecycle: creating new certificates, monitoring certificate expiration dates, and revoking certificates.
Why does this matter?
Secured devices such as ATMs, hardware security modules, or point-of-sale terminals must have digital certificates. Fortunately device owners have at least three options when choosing where and how they get their certifications.
- Companies can obtain and use their own certificate authority server to sign their own devices. This option is typically chosen by larger, enterprise companies, or manufacturers who produce secure devices.
- Smaller organizations, which infrequently need digital certificates may choose to use a third party over the cost of purchasing their own certificate authority.
- An organization might request to have the device digital signed during manufacturing. By having the device signed at the time of production, organizations do not have to delay the deployment of their device while they seek to obtain a certificate for it.
For more detailed information on how mutual authentication, certificate authority servers, or the digital signing process work, check out our “Futurex-Hosted Certificate Authority Service” whitepaper, or read our case study, which details how global ATM manufacturer Nautilus Hyosung implemented our KMES Series to secure their entire cryptographic infrastructure.