In a previous item we were discussing two-factor authentication for banks, as recommended by U.S. federal oversight bodies, and Axel pointed out that it’s not enough to authenticate the user once; really every transaction needs to be authenticated, as apparently is already the practice in Europe.

Here’s another per-transaction authentication system, this one for electronic mail, by MessageLevel. Banks and other entities that do business online want to be able to send invoices and other auditable financial information via electronic mail. That’s difficult, partly because of phishing, which makes everyone distrust mail. MessageLevel offers a three-way handshake to deal with this problem.

In MessageLevel’s scheme, the sender sends a message; the recipient software asks the sender if they sent it; and the sender acknowledges that they did. Only then does the client software pass the message on to the recipient user.

There have long been recipient acknowledgement schemes in electronic mail; I seem to recall X.400 had one of those. What MessageLevel is doing goes beyond that two-way handshake to a three-way handshake that verifies the sender. And that’s the very thing that phishing has cast into doubt: who really sent the message? So with MessageLevel’s scheme the sender knows the recipient software got the message, and the recipient knows the sender really sent it.

This is neither a blacklist nor a whiltelist. It is a per-transaction authentication mechanism that could be used with multiple senders and recipients, as long as they all had the appropriate software. Apparently MessageLevel has gotten their software into Sendmail, Blowfish, and other mail platforms.

I could spend some time poking at this scheme about Man in the Middle (MITM) attacks, but any existing mail that isn’t encrypted is susceptible to that, so that’s not really an issue for this scheme in particular. If MessageLevel’s stuff works as advertised, it should be quite useful for per-transaction authentication.

Getting people to use it is the biggest problem. But that can be done on a pairwise basis. It only takes two companies to agree to use it for it to be useful.

And there seems to be a hook in liability. Currently, if a company sends an invoice and it’s lost along the way, who is liable? The recipient, the sender, or maybe some intervening ISP? Especially if the ISP has over-zealous spam blocking software?

Nobody wants that kind of liability, except the parties actually involved in the financial transaction, i.e., the sender and recipient. So that may be enough to drive adoption.

It will be interesting to watch this three way handshake spread.

-jsq