PassWindow is a technique of producing one-time passwords and facilitating transaction verification that is used as an online second-factor authentication method.
The system works by encoding digits into a segment matrix similar to the seven-segment matrices used in digital displays. The matrix is then divided into two component patterns that reveal the whole when superimposed. [1]
A seven-segment display (SSD), or seven-segment indicator, is a form of electronic display device for displaying decimal numerals that is an alternative to the more complex dot matrix displays.
Half of the pattern is printed on a transparent region of a plastic card, while the other is displayed on an electronic screen such as a computer monitor. These are referred to as the key pattern and challenge pattern, respectively. [1]
Each key pattern is unique, and the challenge pattern can only be decoded by its corresponding printed key. [1]
By varying the challenge pattern displayed on the screen, a series of digits can be communicated to the card holder without being visually revealed on the screen.
PassWindow is typically implemented such that an animated, perpetually looping sequence of challenge patterns is displayed, each encoding a single digit placed in a random location within the matrix.
A valid solution to this challenge then consists of a specified number of consecutively appearing digits.
By printing a PassWindow key pattern on a piece of transparent media, such as a transparent section of a plastic card, a standard plastic ID-1 card can be used as physical token ( something you have) that can be used in a two-factor authentication system.
ISO/IEC 7810Identification cards — Physical characteristics is an international standard that defines the physical characteristics for identification cards.
Using the PassWindow system, a challenge pattern containing a string of digits and/or letters can be generated for a specific key pattern by an authentication server with knowledge of the shared secret (the user's key pattern).
The user decodes the sequence of digits from the pattern using their PassWindow key and sends this as a response to the server's challenge. The correct response confirms that the client has physical access to the token.
These digits are then used as a one-time password. [1]
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication.
In the simplest case, the client verifies that the server from which they are receiving their challenge by confirming that the solution is intelligible when they superimpose their key over the challenge. An unintelligible or corrupted challenge alerts the user that they may not be connected to the server they intend. [1]
In addition, a known string of digits may be encoded into the challenge at the time of generation to provide additional server-to-client authentication to prevent the replay of stored challenges. Known as a verification code, examples include destination account numbers or transaction totals when used to secure online monetary transactions. This use is often referred to as transaction verification and forms the primary basis for PassWindow's exceptional resilience to Man-in-the-middle (MITM) and Man-in-the-browser (MITB) attacks. [1]
Matt Walker, Australian, invented the original PassWindow concept after many years researching various online two-factor authentication systems. The high cost of many electronic token systems, as well as their inability to protect against an ever-increasing array of complex attacks, forced Matthew to completely rethink the way modern authentication is conducted.
During the intervening period, while the security world looked for ever more complex and high-tech solutions, which it was apparent were increasingly vulnerable to ever more complex and high tech attacks, Matthew decided to take the opposite approach and look for an authentication solution with pure simplicity at its core.
In the process, he discovered an entirely new secure method in online security. [2]
An authenticator is the means used to confirm the identity of a user, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.
Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to be. In other words, authentication often involves verifying the validity of at least one form of identification.
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics for performing two-factor authentication for a user to a network resource.
In computer security, challenge–response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution. This is one of the lower tier versions of a "Man-in-the-middle attack".
Internet security is a branch of computer security specifically related to not only the Internet, often involving browser security and the World Wide Web, but also network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information, which leads to a high risk of intrusion or fraud, such as phishing, online viruses, trojans, worms and more.
A one-time password (OTP), also known as one-time pin or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.
A security token is a physical device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in wireless networks and point-to-point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247.
HMAC-based One-time Password algorithm (HOTP) is a one-time password (OTP) algorithm based on hash-based message authentication codes (HMAC). It is a cornerstone of the Initiative for Open Authentication (OATH).
In cryptography, CRAM-MD5 is a challenge-response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.
3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems and first deployed by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa. Services based on the protocol have also been adopted by Mastercard as Mastercard SecureCode, and by JCB International as J/Secure. American Express added 3-D Secure in selected markets on November 8, 2010 as American Express SafeKey, and continues to launch additional markets.
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system is governed by Group Policy settings, for which different versions of Windows have different default settings. NTLM passwords are considered weak because they can be brute-forced very easily with modern hardware.
A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand.
Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication or e-authentication may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence whether data received has been tampered with after being signed by its original sender. In a time where fraud and identity theft has become rampant, electronic authentication can be a more secure method of verifying that a person is who they say they are when performing transactions online.
Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.
Google Authenticator is a software-based authenticator that implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users of mobile applications by Google.
A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate.“ Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought." It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of” identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.
SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software solution typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.
Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. Out of different types of authentication two-factor authentication is a method that provides identification of users by means of the combination of two different components. There are number of two-factor authentication and multi-factor authentication methods. Multi-factor authentication products can provide significant benefits to an enterprise, but the methods are complex and the tools themselves can vary greatly from provider to provider.