Transcript Passfaces 2009 - AITP Washington DC Chapter

WTG New Technology Corp
Passfaces Corp
About the companies
The Companies
WTG New Technology Corporation
(NewTech) is a technology transfer
company specializing in the
Washington DC market. Passfaces
Corporation is a security technology
company, featuring Passfaces,
a bi-directional, two factor,
cognometric authentication system
based on a patented technology that
leverages peoples’ innate ability to
recognize faces.
The Mission
To provide the online world with a
secure, usable and affordable strong
authentication solution and a practical
alternative to tokens and biometrics.
WTG New Technology Corp
Passfaces Corp
More About Passfaces

Passfaces: Strong / Two Factor Authentication
and Phishing Protection
 Used primarily in Banking and Healthcare
 Also used – without problem – for 8 years by a
major branch of the US Government
 Core technology is cognometrics, the human
brain’s innate ability to recognize familiar faces

Patents granted world-wide
 Deployed without hitch to users at a major credit union in 2008
 Selected by major healthcare provider with users in 2009
 Customers include:
Royal Credit Union
CU Service Provider
WTG New Technology Corp
Passfaces Corp
Why Strong Authentication ?
Strong authentication is an essential enabler for the provision of
online services
It is needed for:
 Transaction & Data Protection


Compliance


E.g. Online banking, Personal Health Records
E.g. FFIEC, HIPAA
User Reassurance / Trust

Insecure users won’t use online services
And because Passwords:
 can be guessed or “cracked”
 are written down
And
 people use the same one everywhere
 Users forget them (and call the help desk)
 And, most critically today, they can be phished!
“Passwords are the weakest of weakest links” – Bill Gates
WTG New Technology Corp
Passfaces Corp
Why Passfaces ?
Passfaces provides strong authentication – and phishing
protection – without pain!

Easy to deploy


Leverages existing password infrastructure
No user hardware or software – works in browser
 No new servers or databases

Easy for users





No device to lose or forget
No personal questions/answers to remember
Machine & location independent – i.e. fully portable
Built-in anti phishing does not require user attention
Easy for administrators

[Almost] no resets
 Actually liked by users

Easy on budgets


Less than one tenth the cost of tokens
Save on purchase, implementation and support
WTG New Technology Corp
Passfaces Corp
Passfaces is Different
Passfaces is a graphical authentication system
Graphics and images
are among the
simplest and most
effective means to
communicate and
interact with people
But, like a password, you still need to recall a graphic or image
Faces are Different
 The brain uses a dedicated, intuitive process
to “learn” and remember faces
 The brain recognizes, not recalls, faces
 Face recognition is a universal skill –
independent of age, language or education
Source: Face Recognition: A Literature Survey. National Institute of Standards and Technology
WTG New Technology Corp
Passfaces Corp
Here are
your
Passfaces
Passfaces Strong Authentication
Passfaces provide a simple, but powerful,
means of overcoming the vulnerabilities of
passwords
Passfaces are used with a password to
provide two factor or strong authentication
For two-factor authentication, users are
typically assigned 3 secret passfaces in
addition to their password
WTG New Technology Corp
Passfaces Corp
Passfaces Strong Authentication
To log on, users pick out one of their
Passfaces from a challenge grid of 9 faces
Each challenge grid contains 1 Passface
and 8 decoy faces
The process is repeated for each of the
users’ Passfaces
Click On Your Passface
WTG New Technology Corp
Passfaces Corp
A CREDIT UNION DEMONSTRATION
For your convenience, we would like to show you
a brief demonstration of a credit union's use of
Passfaces for their online members
WTG New Technology Corp
Passfaces Corp
Strong Authentication Requirements
1. Security – better than passwords alone
2. Usability – no complex pass codes or procedures
3. Non-Intrusive – users are averse to change and reluctant to do more
4. Visibility – users want to see that companies are increasing security
5. Mobility – users log on using different PCs in different locations
6. Consistency – of user experience
7. Reliability – no false rejection, no system errors, no user errors
8. Bidirectional – verify the User to the Site AND the Site to the User
9. Flexibility – for varying risk levels and customer choice
10. Easy Integration – with current systems and procedures
11. Low Cost – Procurement, deployment and ongoing maintenance
Source: Gartner Inc.
Usability is key – especially for consumers. If they can’t or
won’t use the security system, then it won’t work!
WTG New Technology Corp
Passfaces Corp
What Are the Alternatives?
Smart Cards
Biometrics
Tokens
Keypad Scrambler
Crypto Cookie
Code Cards
WTG New Technology Corp
Passfaces Corp
Strong Authentication Alternatives
Click On Your Passface
Passfaces
Virtual
Keypad
Biometrics
Risk
Analysis
Code
Cards
Crypto
Cookies
Smart
Cards
Tokens
Personal
Pictures
Security
█
█
█
█
█
█
█
█
█
Bidirectional
█
█
█
█
█
█
█
█
█
Intrusiveness
█
█
█
█
█
█
█
█
█
Visibility
█
█
█
█
█
█
█
█
█
Usability
█
█
█
█
█
█
█
█
█
Mobility
█
█
█
█
█
█
█
█
█
Management
█
█
█
█
█
█
█
█
█
Integration
█
█
█
█
█
█
█
█
█
Rollout
█
█
█
█
█
█
█
█
█
Cost
█
█
█
█
█
█
█
█
█
█ Good
█ OK
█ Bad
Passfaces is unique in meeting all the requirements for strong authentication
WTG New Technology Corp
Passfaces Corp
Passfaces For NFCU
 Integrates Passfaces with any Internet
platform
 Includes






Server-side code
Passfaces Web Clients
Administration Console
Reference Implementations
Detailed integration information
Passfaces Image Library
WTG New Technology Corp
Passfaces Corp
End User Client
Passfaces Web Access
Existing Web Application Integrated with
Java Script,
ActiveX, or Java
No Software or Installation Required
Application Server
Web Server
Existing User
Database
Windows,
Java, or SDK
ODBC or LDAP
connector or
JDBC/JNDI Interface
Face Library
Passfaces Admin
Web Server/Outlook
Web Access
Corp
WTG New Technology
Passfaces Corp
Passfaces Web Access
Separate Passfaces Server
AD
or Database
SQL Database
SQL
or or
LDAP
LDAPDirectory
DirectoryServer
Server
Administrator
Passfaces Admin Console
Web Users
(JavaScript,
ActiveX or
Java) No
installation!
Passfaces Server
(Windows IIS or Java)
SSL
Internet
Passfaces
Web Client
Existing Application
Server
Passfaces Web Access –
Architecture for SSL VPN Connectivity
WTG New Technology Corp
Passfaces Corp
Web Users
Corporate Network
Passfaces
Admin
Console
AD or SQL Database or
LDAP Directory Server
SSL
Passfaces Server
(Windows IIS or Java)
Login information and control
SSL/VPN
Corporate Resources
Passfaces
Web Client
Passfaces Web Access –
Architecture for Citrix Connectivity
WTG New Technology Corp
Passfaces Corp
Web Users
Corporate Network
Passfaces
Admin
Console
AD or SQL Database or
LDAP Directory Server
SSL
Passfaces Server
(Windows IIS or Java)
Login information and control
Citrix Server
Corporate Resources
Passfaces
Web Client
WTG New Technology Corp
Passfaces Corp

Administration Console

Web Based (Java application servers)
 Windows (Microsoft IIS)

Server-side code

Java class package
 Java servlet (HTTP interface)
 ISAPI extension DLL for Microsoft IIS

Passfaces Web Clients


Reference Implementations



JavaScript / Java applet / ActiveX
Sample JSP/ASP/HTML pages
Detailed integration information
Passfaces Image Library

Standard or Custom
Everything Needed to Add
Passfaces
WTG New Technology Corp
Passfaces Corp
Add Your Logo
Change Background Colors
Customizable User Interface
WTG New Technology Corp
Passfaces Corp
Integrated, Editable User Help
Manual
 Link
Built In Help
User Authentication
Thornberry is adding Passfaces, an
enhanced logon procedure, to our
online services. The new process
places an additional security lock to
existing Online IDs and passwords.
We are taking this step to provide the
best protection possible for your
online account information.
Thornberry
Authentication
Users are required to enable
Passfaces over the next thirty days.
You will be prompted to enable
Passfaces each time you login. We
recommend you enhance your login
security as soon a s possible. The
process takes from 3 to 5 minutes.
We also recommend you View the
Demo before starting the process.
to Passfaces Help
 Modify Files to Create a
Custom Help Manual
 Add Your Logo
 Easily edited HTML lets
you add sections
specific to your Web
Access procedures
WTG New Technology Corp
Passfaces Corp

NIST Acknowledgment of
Passfaces?
From NIST 800.63 Appendix A2 page 61:
A.2 Other Types of Passwords
Some password systems require a user to memorize a number of images,
such as faces. Users are then typically presented with successive fields of
several images (typically 9 at a time), each of which contains one of the
memorized images. Each selection represents approximately 3.17 bits of
entropy. If such a system used five rounds of memorized images, then the
entropy of system would be approximately 16 bits. Since this is randomly
selected password the guessing entropy and min-entropy are both the same
value.
It is possible to combine randomly chosen and user chosen elements into a
single composite password. For example a user might be given a short
randomly selected value to ensure min-entropy to use in combination with
a user chosen password string. The random component might be images
or a character string.
WTG New Technology Corp
Passfaces Corp
Customer Testimonials
“Passfaces is one of those products that just works… We installed it 7 years ago and have never had
a problem with it… I see all these complicated new authentication systems being introduced by the
banks and wonder why they don’t just use Passfaces.” CISO, US Government.
“We selected Passfaces as it not only raises the bar in terms of security, but it is both easy to use
and to implement.” David Vandeven, President/CEO Midwest Independent Bank.
"ParadigmHealth was an early innovator of website security and authentication. Security and data
privacy remain our focus, but now with Passfaces we are also highlighting the importance of
increasing ease of use. Passfaces fully addresses the authentication requirements for the large-scale
deployment of Personal Health Records." Tom Hagan, ParadigmHealth CIO.
“Thank you again for your support, your product is already making my life a lot easier and you can
quote me on that if you like…” Paul Osnes, CIO Easter Seals of Southern California.
“Passfaces was so unique and we felt our client base would find it very much ‘cutting edge’. We
wanted something exciting; something different that had security second to none. It excited our folks
internally and I knew it would excite our client base as well.” Tom Leib, Product Manager RC
Olmstead.
“Buckeye State Credit Union understands its members concerns for secure online banking. We feel
that our member’s financial information is worth the best and most secure layer of authentication we
could find. That is why we chose Passfaces. This is much more secure than asking questions like
your mother’s maiden name or your favorite pet’s name, or choosing a static picture like a
watermelon or a beach scene as your login sign.… Our initial rollout was far more successful than I
had ever imagined. My staff and I were prepared and we set realistic expectations that were
exceeded. Sometimes the right choice is hard to make but today I am confident that our member’s
information is secure because of Passfaces.” Charles Stanfield, Information Systems Director,
Buckeye State Credit Union.