UK-based CertiVox has recently released a service that it believes will revolutionise authentication over the internet. It is an open-source two-factor authentication service that works with any HTML 5 browser or app.
CertiVox is touting the authentication service as the ultimate replacement for user names and passwords. Many online services require little more than a name and password to authenticate users, with the credentials generally stored in backend databases - which have become key targets for hackers. For example, business networking site LinkedIn was targeted in mid-2012, leading to the exposure of 6.5 million passwords. Users are generally required to remember a different name and password combination for each service, but often get around the problem of remembering them all by reusing the same password over and over again. Given our reliance on websites and apps, cloud-based services, social networking sites and mobile apps and services, this is a problem that is getting out of hand.
Strong authentication is often used as either an alternative or an add-on form of authentication, often in the form of hardware tokens or software tokens usually provisioned to mobile phones and biometrics. But each has its own burden in terms of cost, setup, widespread applicability and user convenience.
CertiVox's new service works in a similar fashion to authentication at ATM machines. With ATM withdrawals, the magnetic strip on the back of a bank card acts as the authentication token, with users providing the pass code in the form of a four-digit PIN. With the CertiVox service, a browser-based two-factor token is stored in the browser's local memory and the user authenticates directly on a website or app using their four-digit PIN. The HTML 5 browser communicates with CertiVox's M-Pin server, which stores only the cryptographic key, not the credentials used. Therefore, even if the service is compromised, no details about users will be revealed as there is no backend database.
It all sounds very simple and, for the user, it is. But the service is actually very complicated behind the scenes and CertiVox has spent years perfecting it. The service is based on elliptic curve cryptography, among the benefits of which are that it can be used to create a smaller cryptographic key than other methods, and which reduces storage needs and transmission requirements. Even so, security is considered to be equal to other methods that require a much larger, more unwieldy key to be generated. Because of these factors, it is ideally suited for use with web browsers and mobile devices.
Announced in June 2013, the flagship customer associated with the launch is Parallels for its Parallels Automation service, which provides a hosting and cloud services delivery system used by service providers throughout the world. M-Pin will be used as the default strong authentication provider for this service.
CertiVox has ambitions for widespread take-up of its service. It supports the main authentication protocols that are used in federated identity and access management environments, including SAML and OpenID, and can easily be integrated into identity and access management technologies and services. It is ideally suited to the new breed of identity management services that broker access to cloud-based service, websites and apps, and are key enablers for the use of mobile devices - all of which can work seamlessly with M-Pin. For developers building web or mobile apps, CertiVox has developed an SDK library that it makes available so that those developers can more easily incorporate M-Pin into their offerings.