Sestus : How Does Virtual Token authentication Work?
Welcome!
This
page presents a
general introduction
to Virtual Token™ authentication, describes
its history, its
government-approved
multi-factor authentication
methods, and assists
with learning how
Virtual Token™ authentication solves
many of the problems
that have plagued
other authentication
approaches.
This
page does not address
general business
questions related
to licensing, pricing,
implementation,
or support. If you
are a prospective
Virtual Token™ authentication customer
and would like more
information about
Virtual Token™ authentication, please
contact us here.
We will arrange
a live WebEx™ presentation
during which we
will explain the
Virtual Token™ authentication technology
in detail and answer
any licensing, pricing,
implementation,
or support questions.
If you would
like to experience
Virtual Token™ authentication from
a user's perspective,
try our live demo
here.
Due to the
volume of material
presented on this
page, we have organized
this page into chapters.
Product
Summary Virtual Token™ authentication
is a cryptographic
multi-factor authentication
process is a
true multi-factor
approach as recommended
by the FDIC
and the FFIEC.
Virtual Token™ authentication
complies with section
8.3 of the PCI
Data Security Standard
and it satisfies
U.S. "Level
3" multi-factor
authentication requirements
as specified in
NIST
Special Publication
800-63.
Virtual Token™ authentication is the
strongest multi-factor
authentication in
the world and is
based on government-approved
authentication standards.
Virtual Token™ authentication is extremely
easy to deploy and
it has the lowest
support costs
of any multi-factor
authentication product.
There is no hardware
to purchase or ship,
no software or active-x
objects to install,
no javascripting
requirements, and
no certificates
to manage. Virtual Token™ authentication
is 100% cross-browser,
cross-device compatible.
For its breakthrough
in cyber security,
the U.S. government
has twice named
Virtual Token™ authentication a semi-finalist
for both the Homeland
Security Award.
After
authenticating “something
the user knows”
(the user's login
ID and password),
Virtual Token™ authentication cryptographically
authenticates “something
the user has” (a
key retrieved from
the user's connected
device, authenticated
against the device
itself). Following
this multi-factor
authentication,
Virtual Token™ authentication produces
and validates a
one-time use, time
expiring "virtual"
token number (a
cryptographic "nonce")
unique to the authenticating
device.
With
traditional hardware
token authentication
systems, users are
issued costly hardware
token devices which
contain contain
a microchip and
stored programming
code. These distributed
hardware token devices
must be synchronized
with the authenticating
server and are designed
to produce a one-time
use time expiring
value.
Virtual Token™ authentication
is a hardware token
process but the
hardware it uses
is the hardware
the user already
has (their connected
device). Traditional
hardware token devices
process internal
cryptographic keys
to produce their
token values. Virtual Token™ authentication,
however, distributes
only the cryptographic
key to the user's
EXISTING device,
leaving the processing
tasks to be performed
by the organization's
webserver. This
eliminates the need
for an organization
to distribute additional
hardware to their
users. The organization's
webserver provides
the processing 'muscle',
producing a time-expiring
one time use Virtual Token™ value
from the user's
retrieved key. The
keys and Virtual Token™ values are
also cryptographically
authenticated against
the user's connected
device, making Virtual Token™ authentication
the first product
in the world which
offers any resistance
to malware, keylogging
trojans, or man-in-the-middle
attacks.
So,
Virtual Token™ authentication IS a
hardware token approach,
but no hardware
tokens must be purchased
or distributed to
users. The hardware
is the user's computer,
PDA, or web-enabled
phone. No software
must be deployed
by users and the
process uses only
native browser functionality
supported by all
operating systems
and devices with
no special configuration
required.
Virtual Token™ authentication,
its underlying Hash
Authentication Standard-Device
Localized (HASDL)
process, and the
"Virtual Token™"
concept are protected
by U.S. and international
patent and copyright.
Virtual Token™ authentication may not
be employed, replicated,
or used in any other
process or product
without the express
written permission
of Sestus.
Users
enter
their
existing
login
and
password
on
the
organization's
existing
web
page.
These
"something
the
user
knows"
credentials
are
authenticated
using
whatever
method
is
currently
used
by
the
organization
(i.e.
database
verification,
active
directory
verification,
etc).
Virtual Token™ authentication
does not
impact
or
interfere
with the
organization's
current
credential
validation
process.
After
the
user's
login
credentials
are
validated
by
the
organization,
the
user
is
redirected
to
a
page
on
the
organization's
servers
where
they
are
permitted
to
enter
a
“name”
for
their
device,
such
as
“work
computer”,
"PDA",
“laptop”,
"iPhone",
etc.
They
may
also
(optionally)
enter
an
email
and/or
telephone
number
associated
with
this
device.
At
this
time,
the
connected
device's
'fingerprint'
is
analyzed
and,
from
this
fingerprint,
a
key
is
cryptographically
produced
and
stored
on
the
device
using
normal
browser
functionality
(no
software
or
activeX
objects
are
installed
by
the
user).
After
the
user
'names'
their
device,
they
are
prompted
to
bookmark
the
page
(create
a
favorite
link).
That's
it!
Users
do not
supply
any
personal
information,
upload
any
pictures,
or register
any
new
challenge
questions.
Users
do not
configure
any
browser
settings,
install
any
software,
nor
are
they
required
to remember
ANY
new
credentials.
After
the
first
device
has
been
enrolled,
all
subsequent
devices
are
enrolled
via
an out-of-band
process.
This
restricts
device
enrollment
to only
the
account
owner.
Devices
are
enrolled
only
once.
Once
the
device
has
been
enrolled,
the
user
never
needs
to check
their
out-of-band
email
or telephone
again
to authenticate
using
the
device.
Note:
If the
organization
wishes,
the
first
device
may
also
be enrolled
via
an out-of-band
process.
To
experience
a live
demo
of Virtual Token™ authentication
from
a user's
perspective,
click
here.
Users
enter
their
existing
login
and
password
on
the
organization's
existing
web
page.
These
"something
the
user
knows"
credentials
are
authenticated
using
whatever
method
is
currently
used
by
the
organization
(i.e.
database
verification,
active
directory
verification,
etc).
Virtual Token™ authentication
does not
impact
or
interfere
with the
organization's
current
credential
validation
process.
After
the
user's
login
credentials
are
validated
by
the
organization,
the
user's
device
is
cryptographically
authenticated.
First
a
key
is
retrieved
from
the
user's
device
using
normal
browser
functionality
(no
software
or
activeX
objects
are
installed
by
the
user).
This
key
is
then
authenticated
against
the
connected
device
itself.
Then,
a
6-digit
Virtual Token™
value
is
produced
(
using
the
connected
device's
retrieved
key
and
other
device
elements).
This
Virtual Token™
is
displayed
to
the
user,
who
enters
the
token
to
continue.
That's
it!
There
are
no challenge
questions
to answer,
no pass
phrases
or credentials
to remember,
no software
to install,
and
no hardware
to carry.
Since
the
Virtual Token™
is produced
using
the
connected
device's
key
and
other
device
elements,
it is
resistant
to malware.
This
Virtual Token™
value
is a
one-time
use,
time-expiring
value,
designed
to prevent
replay
attacks
by introducing
a random
value
into
the
login
process.
With
traditional
hardware
token
authentication,
a key
is retrieved
from
the
hardware
token device
and,
using
this
key,
a random
number
is produced.
Virtual Token™ authentication
also
retrieves
a key
from
a hardware
device
(the
user's
connected
computer,
PDA,
iPhone,
etc.)
and
produces
a random
number.
Unlike
traditional
hardware
token
authentication,
however,
Virtual Token™ authentication
uses
only
government-approved
authentication
standards
to produce
its
keys
and
token
numbers.
Also,
since
we retrieve
the
key
from
the
user's
existing
device,
no new
hardware
must
be purchased
or distributed.
As a
result,
Virtual Token™ authentication
is mathematically
stronger
than
traditional
hardware
tokens,
is considerably
more
affordable,
and
is much
easier
to implement
and
support.
To
experience
a live
demo
of Virtual Token™ authentication
from
a user's
perspective,
click
here.
A
New Approach: the
History of Virtual Token™ authentication
Virtual Token™ authentication
is a new approach
in authentication.
Although Virtual Token™ authentication
is easy for users
to use, and easy
for an organization
to implement, behind
the scenes Virtual Token™ authentication
uses an extremely
powerful and cutting-edge
multi-factor authentication
process (HASDL),
employing the latest
in government-approved
mathematic and cryptographic
algorithms, and
revolutionary authentication
concepts.
Preamble
By 1996, the internet
had grown to become
a global communication
medium. E-commerce
giants like eBay
and Amazon.com were
making headlines
and the "dot.com"
boom was booming.
As more and more
financial transactions
began to be transacted
over the internet,
the U.S. government
began to grow alarmed
at the corresponding
growth in online
fraud and in the
growing weakness
of traditional authentication
methods. Virtually
the only online
security protocol
available to internet-based
companies was an
aging 160-bit SHA
encryption algorithm
that powered hardware
tokens and SSL certificates.
As computing power
increased, mathematicians
around the globe
were reporting they
were close to "cracking
the code" of
this SHA-1 algorithm.
Logins and passwords
were proving vulnerable
to new fraud attacks
(such as phishing)
and government analysts
were growing concerned
about the inability
of either hardware
tokens or certificates
to withstand these
attacks.
1996
In 1996, the U.S
government took
up the challenge
of reforming online
security. Pursuant
to Section 5131
of the Information
Technology Management
Reform Act of 1996,
the U.S. Department
of Commerce commissioned
the National Institute
of Standards and
Technology (NIST)
and the Information
Technology laboratory
(ITL) to develop
several new authentication
standards.
1997
February 1997, PKI
authentication concepts
introduced by the
NIST and approved
by the U.S. Secretary
of Commerce.
2002
March 2002, HMAC authentication
concepts introduced
by the NIST and
approved by the
U.S. Secretary of
Commerce.
Aug 2002: Under
the authority of
the U.S. Dept of
Commerce, the National
Institute of Standards
and Technology (NIST)
and the Information
Technology Laboratory
(ITL) introduce
a series of new
Secure Hash Standard
(SHS) mathematic
authentication algorithms
.
May 2003: Sestus initiates
a year-long research
study to find ways
to apply these newly-introduced
authentication concepts
to the modern challenges
of phishing and
online identity
theft.
2004
Oct 2004: A new
multi-factor authentication
approach (utilizing
elements from SHS,
HMAC, PKI, and other
proprietary processes)
is introduced by
Sestus
as the Hash Authentication
Standard - Device
Localized (HASDL).
A proof-of-concept
for a commercial
product based on
this standard is
successfully completed
and dubbed "Virtual Token™ authentication".
Dec 2004: The
FDIC publishes regulatory
guidelines
recommending the
use of multi-factor
authentication.
In this same publication,
the FDIC repeatedly
warn against the
use of authentication
methods that solicit
personal information
from consumers.
2005
Feb 2005: A live
implementation of
Virtual Token™ authentication is successfully
tested.
Throughout
2005, Virtual Tokens™ are refined through
a series of technical
trials and focus
groups facilitated
by internet "backbone"
companies and industry
leading financial
organizations, including
a 9-month technical
trial conducted
by one of the “big
four” credit card
companies. No faults
or compromise techniques
are evidenced.
Mar 2005: The
(older) SHA1 algorithm
powering SSL and
hardware tokens
is broken
by Chinese mathematicians.
All U.S. government
agencies and numerous
commercial organizations
announce plans to
abandon SHA1 and
convert to the new
standards by 2010.
Virtual Token™ authentication
is already there.
Jun 2005: In
recognition of our
breakthrough in
multi-factor authentication,
the United States
government names
Virtual Tokens™
a semi-finalist
for the 2005
Homeland Security
Award
for
"making
a measurable and
constructive contribution
related to basic
and/or advanced
research in the
area of homeland
security which will
result in a significant
and positive benefit
to society".
Dec
2005: InfoWorld
Magazine awards
Virtual Tokens™
its highest honor,
the InfoWorld
100 Award
for the "best
use of technology
to meet business
goals".
2006
Mar 2006: Virtual Token™ authentication
(beta) is released
to the commercial
market for technical
evaluation.
2007
Jan 2007: Virtual Token™ authentication
(commercial version)
is launched and
licensing contracts
begin.
Jun
2007: the United
States government
AGAIN names Virtual Tokens™
a semi-finalist
for the 2007 Homeland
Security Award.
Current
Status Pursuant
to Section 5131
of the Information
Technology Management
Reform Act, the
U.S. Department
of Commerce has
approved the
SHS
algorithmic
approach as the
new U.S. authentication
standard.
PKI
concepts
were approved in
February 1997 and
HMAC
was approved
in March 2002 and
revised
in June 2007. Virtual Token™ authentication
incorporates elements
from SHS, PKI, HMAC
as well as proprietary
authentication methods.
Sestus
Data is a growing
company whose cutting-edge,
patent-pending technology
is positioned to
deeply penetrate
the established
multi-factor authentication
market. Its radically
different approach
to MFA solves a
host of problems
that have made other
MFA solutions ineffective,
expensive, difficult
to support, and
unpopular with users.
Growing rapidly,
Sestus
and its key players
have a solid track
record. Sestus Data
carries no debt,
is entirely self
funding, and has
the technical and
business experience
to deliver world-class
products and services.
The Virtual Token™ authentication product
is based on approved
U.S. authentication
standards and is
currently the only
MFA product to have
been officially
recognized by the
U.S. government
(who twice named
it a semi-finalist
for the Homeland
Security Award).
A number of substantial
business prospects
have recognized
the significance
of what Virtual Token™ authentication
brings to the market,
and they are moving
rapidly to capitalize
on the value of
this new product.
On
Dec
14,
2004,
the
U.S.
Federal
Deposit
Insurance
Corporation
(the
FDIC)
published
a report
presenting
their
findings
on how
the
financial
industry
and
its
regulators
could
mitigate
the
risks
associated
with
Phishing.
In
this
study,
the
FDIC
identified
root
causes
for
the
problem
of phishing.
"User
authentication
by the
financial
services
industry
for
remote
customer
access
is insufficiently
strong....the
FDIC
is of
the
opinion
that
financial
institutions
and
government
should
consider
a number
of steps
to reduce
online
fraud,
including:
Upgrading
existing
password-based
single-factor
customer
authentication
systems
to two-factor
authentication."
On October 12, 2005, the Federal Financial Institutions Examination
Council
(FFIEC)
issued
an
updated
guidance
letter
for
banks
and
financial
institutions
which
echoed
the
FDIC’s
findings
and
made
the
following
recommendation:
"The
agencies
consider
single-factor
authentication,
as
the
only
control
mechanism,
to
be
inadequate...financial
institutions
should
implement
multifactor
authentication"
The
FFIEC
defined
multi-factor
authentication thus:
"Existing
authentication
methodologies
involve
three
basic
“factors”:
•
Something
the
user
knows
(e.g.,
password,
PIN);
•
Something
the
user
has
(e.g.,
ATM
card,
smart
card);
and
•
Something
the
user
is
(e.g.,
biometric
characteristic,
such
as
a
fingerprint).
Authentication
methods
that
depend
on
more
than
one
factor
are
more
difficult
to
compromise
than
single-factor
methods."
(FFIEC)
Multi-factor
authentication
is exactly
what
it sounds
like.
Instead
of using
only
one
type
of authentication
factor,
such
as "something
a user
KNOWS"
(login
IDs,
passwords,
secret
images,
shared
secrets,
personal
information,
etc),
multi-factor
authentication
requires
the
use
of a
second
factor,
the
addition
of "something
the
user
HAS",
or "something
the
user
IS".
Two-factor
authentication
is not
a new
concept.
You
use
two-factor
authentication
every
time
you
visit
your
local
ATM
machine.
One
authentication
factor
is the
physical
ATM
card
you
slide
into
the
machine.
The
second
authentication
factor
is the
PIN
number
you
enter.
Without
both,
authentication
cannot
take
place.
The ATM scenario illustrates
the
basic
parts
of most
multi-factor
authentication
systems;
the
"something
you
have"
+ "something
you
know"
concept:
Challenge
Question
/ Response
=
NOT
multi-factor
authentication
In
their
reports,
the
FDIC
and
the FFIEC
defined
multi-factor
authentication
as using "more
than
one
factor".
The
FFIEC
clarified
this
again
in their
August
15,
2006
FAQ
Supplement:
"By
definition
true
multifactor
authentication
requires
the
use
of
solutions
from
two
or
more of
the
three
categories
of
factors.
Using
multiple
solutions
from
the
same
category
... would
not
constitute
multifactor
authentication."
By
the
FFIEC's
definition,
multiple
instances
of the
same
type
of authentication factor
(i.e.
multiple
uses
of "something
you
KNOW")
would
"not
constitute
multifactor
authentication",
even
if they
are
used at
different
points
in the
authentication
process.
In other
words,
using
the
customer's
Login
ID to
lookup
additional
challenge
questions
and
secret
images
(i.e.
which
are
all
things
the
user
"knows")
"would
not
constitute
multifactor
authentication":
By
the
same
regulatory
definition,
equipping
SOME
customers
with
one
authentication
factor
while
equipping
the
REST
of the
customers
with
another
authentication
factor
would
also
be insufficient
since
each
customer
would
still
be using
only
ONE
authentication
factor:
It
is no
exaggeration
to say
Virtual Token™ authentication
is the
strongest
multi-factor
authentication
solution
in the
world.
Virtual Token™ authentication
is significantly
stronger
than
all
existing authentication
approaches,
including
SSL
certificates
and
hardware
tokens.
Virtual Token™ authentication
can
be deployed
in place
of hardware
tokens
for
a significantly stronger
authentication
solution
that
is considerably
more
affordable
and
easier
to support.
Virtual Token™ authentication
is based
on the
Hash
Authentication
Standard
- Device
Localized
(HASDL).
It incorporates
cutting-edge
cryptographic
and
keyed-hash
protocols
developed
by the
National
Institute
of Standards
and
Technology
(NIST)
under
the
authority
of the
U.S.
Department
of Commerce.
These
protocols
include
Public
Key
Infrastructure
( PKI)
technology,
Keyed-Hash
Message
Authentication
Code
( HMAC)
protocols,
Proof
of Possession
(PoP)
concepts,
cryptographic
nonces,
and
Secure
Hash
Standards
( SHS),
as well
as proprietary
algorithmic
methods
and
processes
developed
by Sestus
Data
Company.
These
authentication
methods
are
now
the
current
U.S.
authentication
standard and
are
used
to protect
all
sensitive
U.S.
government
data.
There
are
no stronger
authentication
methods
in the
world.
Virtual Token™ authentication
represents
the
next
generation
in authentication.
Virtual Token™ authentication
does
not
use
geo-location
techniques,
risk-based
analysis,
shared
secrets,
solicited
member
information,
or other
outdated
authentication
methods
which
are
frowned
on by
regulators
or exhibit
known
vulnerabilities
to modern
fraud
techniques.
To
understand
how
Virtual Token™ authentication
differs
from
other
authentication
methods,
you
must
first
understand
these
other
methods
and
their
vulnerabilities:
Virtual Token™ authentication
does
not
perform
geo-location
authentication
Geo-location
authentication
is a
process
which
the
FDIC
and
the
FFIEC
have
both
cautioned,
“produces
usable
results
only
for
land-based
or wired
communications,
[and]
may
not
be suitable
for
some
wireless
networks
that
can
also
access
the
Internet”1
2.
In today’s
internet
climate,
with
wireless
connections
and
proxy
servers
sharing
IP pools,
geo-location
techniques
are
unreliable.
In addition,
since
geo-location
techniques
only
attempt
to identify
“where”
you
are
connecting
from,
not
the
“something
you
have”,
they
do not
meet
the
regulatory
definition
of multi-factor
authentication.
1.
FDIC
publication
supplement
to “Putting
an End
to Account-Hijacking
Identity
Theft”,
December
14,
2004.
2. FFIEC
“Authentication
in an
Internet
Banking
Environment”.
Virtual Token™ authentication
does
not
perform
authentication
based
on any
derived
“risk-scores”.
Risk
scoring
is used
by systems
that
cannot
reliably
authenticate
users.
Because
such
systems
cannot
reliably
authenticate
their
users,
they
must
calculate
the
“risk”
to the
organization
instead,
using
stored
profiles
and
other
factors.
Risk-scoring
systems
significantly
increase
an organization’s
support
requirements,
flooding
support
centers
with
‘flagged’
transactions
that
must
be further
evaluated.
Virtual Token™ authentication,
however,
is a
mathematically-based
approach.
Virtual Token™ authentication
either
authenticates
or it
doesn’t.
There
is no
need
to calculate
a risk
score
or flag
the
authentication
for
further
evaluation.
To do
so would
be like
asking
“what
is the
risk
that
2 +
2 will
equal
5?”
With
mathematic
authentication,
the
'risk'
is always
zero.
2 +
2 will
never
equal
5.
Virtual Token™ authentication
does
not
rely
on “shared
secret”
information
such
as images
or challenge
questions.
No secret
information
must
be disclosed
by users
at any
time
to use
Virtual Token™ authentication.
In addition,
no confidential
member
information
must
be gathered,
stored,
or maintained
by your
organization
to use
Virtual Token™ authentication.
Warnings
against
the
use
of systems
that
rely
on solicited
personal
information
and
secret
images
are
multiplying,
with
regulators
noting
that
such
systems
are
“susceptible
to man-in-the-middle
attacks,
where
the
fraudster
successfully
impersonates
the
user
and
gains
access
to the
shared
secret”
3
4 5
6 7
8 9
10.
In addition,
many
states
are
now
passing
laws
strictly
regulating
or even
prohibiting
the
solicitation
of confidential
personal
information
online
11 12
13.
3.
FDIC
Supplemental
: Federal
Deposit
Insurance
Corporation,
Division
of Supervision
and
Consumer
Protection,
Technology.
June
17,
2005.
4. FFIEC:
Authentication
in an
Internet
Banking
Environment
(Updated
Guidance
Letter),
October
12,
2005.
5. FDIC:
Putting
an End
to Account-Hijacking
Identity
Theft,
December
14,
2004.
6. “Phishing
In The
Middle
Of The
Stream”
- Today’s
Threats
To Online
Banking.
From
the
proceedings
of the
AVAR
2005
conference.
7. Gartner
Group
via
MSNBC
- “Is
that
picture
keeping
your
money
safer?”,
Sept
29,
2006.
8. Symantec
Corporation
- “Phishing
In The
Middle
Of The
Stream”
Proceedings
of the
AVAR
2005
conference.
9. IT
Management
News
- “PassMark's
SiteKey
- Answering
The
Wrong
Question”,
July
26,
2005
10.
CR-Labs
- “Fraud
Vulnerabilities
in SiteKey
Security
at Bank
of America”,
July
18,
2006.
11.
California
Security
of Personal
Information
- Civil
Code
section
1798.81.5.
12.
California
Business
and
Professions
Code
Section
22575-22579.
13.
California
Government
Code
Section
11000-11019.9.
Virtual Token™ authentication
does
not
require
the
deployment
of costly
hardware
devices
or the
installation
and
support
of software
certificates.
Most
Hardware
tokens
and
software
certificates
are
based
on the
aging
160-bit
"OATH"
standard
using
the
"SHA-1"
algorithm.
SHA-1
was
broken
in March
of 2005,
and
is no
longer
considered
secure
14.
Because
of the
vulnerability
of the
SHA-1
algorithm,
the
National
Institute
of Standards
and
Technology
(NIST),
a government
standards
body
advising
regulatory
offices,
has
called
for
all
government
organizations,
security
firms,
authentication
vendors,
SSL
providers,
and
related
security
organizations
to "migrate
from
the
160-bit
SHA-1
to SHA-256
by the
year
2010"
15.
Microsoft,
Symantec,
IBM,
and
many
other
companies
have
issued
similar
calls
to abandon
SHA-1
in favor
of SHA-256.
Virtual Token™ authentication
is already
there.
Hardware
tokens
and
software
certificates
are
also
very
expensive,
unpopular
with
users,
and
difficult
to support.
Perhaps
most
important,
hardware
tokens
and
software
certificates
are
vulnerable
to phishing,
malware,
man-in-the
middle
attacks,
pharming,
and
many
other
forms
of modern
fraud.
Citigroup,
Nordea
Bank,
and
other
organizations
have
recently
made
headlines
as a
result
of fraudsters
compromising
their
hardware
token
or software
certificate
systems
16
17 18.
Virtual Token™ authentication
is based
on the
current
U.S.
authentication
standards
including
SHA-256
19
, PKI,
and
HMAC.
Virtual Token™ authentication
requires
no additional
hardware
or software
to be
deployed,
it is
simple
for
members
to use,
and
it is
the
first
multi-factor
solution
capable
of defeating
phishing,
malware,
man-in-the
middle
attacks,
pharming,
and
many
other
forms
of modern
fraud.
14.
CNET
News.com
"U.S.
mulls
new
digital-signature
standard",
November
1, 2005
15.
eeTimes.com
"Crack
in SHA-1
code
'stuns'
security
gurus",
February
21,
2005
16.
Business
Report,
“Swedish
bank
closes
phishing
hole”,
Oct
4, 2005
17.
Bank
Systems
&
Technology,
“Phishers
Beat
Citi’s
Two-Factor
Authentication”,
July
18,
2006.
18.
ComputerWorld,
“Phishers
edge
past
banks'
strong
authentication”,
July
14,
2006.
19.
U.S.
Federal
Information
Processing
Standards
- FIPS
180-2
.
Due
to the
failure
of many
other
forms
of authentication,
organizations
are
increasingly
turning
to telephone-based
methods
of authentication.
While
sending
credentials
via
an out-of-band
channel
such
as telephone
and
email
is sometimes
necessary,
organizations
should
be wary
of solutions
which
rely
EXCLUSIVELY
on the
use
of telephone-based
systems
to authenticate
users.
Many
internet
users
do not
wish
to have
their
telephone
ring
EVERY
time
they
need
to login.
Users
may
not
have
ready
access
to their
telephone
EVERY
time
they
wish
to check
their
account.
Telephone
authentication
systems
are
also
traditionally
very
expensive,
and
also
usually
require
the
deployment
of additional
hardware,
servers,
T1 lines,
etc.
To
be effective,
telephone
authentication
systems
cannot
rely
solely
on text
messaging.
Not
every
user
will
have
a device
capable
of receiving
text
messages.
To be
usable
by all
users, telephone
authentication
systems
must
make
use
of traditional analog
phone
lines.
This
means
that
someone
must pay
for
the
generated calls.
As a
result,
systems
that
rely
exclusively
on telephone
out-of-band
for
authentication
are
among
the
most
expensive
forms
of authentication.
Virtual Token™ authentication
does
provide
an optional
telephone-based
out-of-band
product,
called
“Token
by Phone™”,
however,
out-of-band
authentication
is NOT
used
by Virtual Token™ authentication
for
general
authentication.
It is
only
used
for
enrolling
NEW
devices
or when
users
wish
to authenticate
from
a PUBLIC computer,
such
as an
airport
kiosk
or a
library
computer.
Virtual Token™ authentication
Token
by Phone™
is an
optional
product
that
permits
an organization
to enhance
their
email
out-of-band
process
with
telephone
capability.
Most
importantly,
through
an exclusive
arrangement
we have
negotiated
with
a New
York
state
telephone
company,
NO telephone
equipment
must
be purchased
or installed
and
NO per-minute
fees
are
charged.
Organizations
who
wish
to deploy
Virtual Token™ authentication
Token
by Phone™
pay
only
a small
annual
per-user fee
for
unlimited
use
of the
service.
Although
biometric
authentication
systems
have
existed
for
over
twenty
years,
they
have
met
with
only
limited
commercial
success.
This
is due
to high
cost,
high
support
requirements,
unreliability,
and
resistance
by consumers.
Consumers
are
wary
of biometric
authentication
approaches
due
to privacy
concerns.
They
resist
having
their
fingerprints,
voiceprints,
and
typing
patterns
recorded
for
fear
that
the
recorded
information
may
be compromised
and
re-used
by others.
Unlike
traditional
passwords,
biometrics
cannot
be changed,
which
presents
a problem
in the
event
the
recorded
biometric
information
is compromised.
You
cannot,
for
example,
easily
change
your
fingerprint.
Contrary
to popular
opinion,
biometric
authentication
methods
are
also
relatively
unreliable,
with
significant
failure
rates
and
false
positive
rates.
Those
biometric
characteristics
which
can
be most
easily
captured
and
used,
such
as voiceprints
and
keystroke
typing
patterns,
are
also
the
characteristics
most
like
to vary
from
authentication
to authentication,
resulting
in unacceptably
high
failure
rates
and
user
frustration.
Even
those
characteristics
which
can
be more
reliably
authenticated
are
still relatively
easy
to counterfeit.
In a
well-known
2002
case,
Japanese
cryptographer
Tsutomu
Matsumoto
demonstrated
how
most
fingerprint
readers
on the
market
can
be fooled
using
a plastic
mold
and
gelatin.
His
findings,
widely
publicized
at the
time,
served
as a
wakeup
call
to the
industry.
Recently,
keystroke
pattern
recognition
systems
have
been
re-introduced
to the
market.
These
systems
are
not
new.
They
have
existed
for
almost
20 years,
but
security
experts
have
long
discounted
such systems
as extremely
weak,
difficult
for
users
to use,
and
difficult
for
organizations
to support.
With
the
recent
surge
in interest
in multi-factor
authentication,
however,
vendors
have
dusted
off
keystroke
recognition
systems
and
are
again
peddling them
to desperate organizations.
keystroke
pattern
recognition
systems
can
be compromised
with
very
little
effort.
Information
Security
Magazine
recently
had
its
lab
evaluate
one keystroke
biometric
authentication
approach
(BioPassword).
They
reported,
“lab
personnel
quickly
compromised
the
account”
and
they
concluded
the
approach,
“may
not
yet
be attractive
for
servicing
typical
customers
because
of the
education
requirements
and
frustration
of login
failures
due
to any
change
in keystroke
pattern”
20.
To see
how
easy
biometric
keystroke
recognition
systems
can
be compromised,
click here.
This example
compromise
demonstration was
created
in a
single
day.
In addition
to privacy
concerns,
reliability
issues,
and
high
deployment
costs,
biometric
authentication
systems
also
require
the
most
end-user
training
and
support
21.
To quote
from
one
noted
biometric
security
researcher,
“Before
spending
too
much
time
researching
such
solutions
for
your
company,
though,
carefully
consider
the
cost
of administration.
Most
products
available
today
provide
little
centralized
administration,
are
fairly
expensive,
and
create
an entirely
new
category
of help
desk
calls.
As promising
as the
technologies
behind
biometrics
look,
none
of them
are
quite
ready
for
easy,
enterprise-wide
deployment.”
22
20.
Information
Security
Magazine,
Security
Buyers
Guide,
June
16,
2006
21.
David
R. Lease,
Ph.D.,
Government
Health
Services
Division
“Findings:
Biometric
Authentication
in the
Private
Sector”,
2007
22.
Joern
Wettern,
Ph.D.,
MCSE,
MCT,
Security,
“The
State
of Biometric
Authentication",
August
2005
To experience
a live demo of Virtual Token™ authentication
from a user's perspective,
click here. You
can compare Virtual Token™ authentication
with other authentication
solutions here. For a
side-by-side comparison
of traditional hardware
tokens against Virtual Token™ authentication,
click here.
