The Internet is a powerful, inexpensive and convenient channel for enterprises to allow its customers to perform transactions electronically. It is also one of the most challenging channels to secure and build trust between two parties. With evolution in the internet commerce, its adoption and its awareness, so have the various threats increased over time.
The most visible threat is the process of identity theft whereby, in an internet system the authentication credentials that identify a user are thieved by a fraudster. This process known as Phishing leads to the fraudster assuming the identity of a legitimate user with the internet system. Such identity thefts are typically successful when authentication of the internet system relies on a single authentication factor such as a fixed username and password.
To tackle such identity theft and threats, authentication systems are enhanced with 2nd Factor Authentication (2FA) where user is expected to possess a device decoupled and independent in nature to the internet system. The device generates a One-Time-Password (OTP). This methodology has proven somewhat successful at thwarting the Phishing attempts, but more modified threats such as Man-In-The-Middle (MITM), Pharming, Over-The-Air SMS/data sniffing, third party infrastructure hijacking, Trojans, key loggers and combinations thereof, can render a 2FA solution ineffective.
For example, a MITM attack can typically be executed as a reverse-proxy approach by a fraudster whereby a user is beguiled into supplying the necessary 2FA OTP or a challenge-response to the fraudster who relays the same in real-time (proxy) with fraudulent transactions.
An authentication methodology immune to above described attacks is possible when mutual authentication is implemented. In such an authentication system the client and server validate and verify each other before a session is started. Typically in the conventional mutual authentication approach, the client is expected to keep possession of a Digital Certificate that is used in the process of Authentication. There is a two-way authentication in which the user is expected to first visually verify, acknowledge the server's Digital Certificate credentials and the server subsequently validates and verifies the client's Digital Certificate.
However, this methodology relies on three factors:                1. The user must visually verify and acknowledge if the legitimate server is in-fact communicating with the client. Here, the user needs to be able to discern the Digital Certificate details that rightly identify the legitimate server.        2. In an internet system, the users are typically roaming and the user is expected to be in possession of a Digital Certificate and his Private Key at all the times. If not, authentication is not possible and user will be unable to access the appropriate server. Accordingly, the user needs to carry around the Digital certificate and the Private Key in some portable device and optionally protect the private key with a pass phrase. Also the user must protect the theft of Digital Certificate and Private Key, the loss of which would compromise his identity.        3. Implementation of such an authentication system relies on Transport Layer Security (TLS) [3] and requires the APPLICATION to trust the transport layer devices and protocols for authentication.        
Each of the above delineated factors rely on the user's active participation and judgment in the process. However, oftentimes users are not capable of discerning appropriateness of Digital Certificates and neither are they fully aware, capable of protecting the private key. Moreover, in a typical internet system, roaming capabilities are expected by default and for that users need to carry around Private Keys in some portable device such as USB, FOB, Dongle etc. Not only does it add the cost of the internet system but it also increases the level of inconvenience for users.