PassWindow
PassWindow is a technique of producing one-time passwords and facilitating transaction verification that is used as an online second-factor authentication method.
The system works by encoding digits into a segment matrix similar to the seven-segment matrices used in digital displays. The matrix is then divided into two component patterns that reveal the whole when superimposed.[1]
Half of the pattern is printed on a transparent region of a plastic card, while the other is displayed on an electronic screen such as a computer monitor. These are referred to as the key pattern and challenge pattern, respectively.[1]
Each key pattern is unique, and the challenge pattern can only be decoded by its corresponding printed key.[1]
By varying the challenge pattern displayed on the screen, a series of digits can be communicated to the card holder without being visually revealed on the screen.
PassWindow is typically implemented such that an animated, perpetually looping sequence of challenge patterns is displayed, each encoding a single digit placed in a random location within the matrix.
A valid solution to this challenge then consists of a specified number of consecutively appearing digits.
Use in two-factor authentication
By printing a PassWindow key pattern on a piece of transparent media, such as a transparent section of a plastic card, a standard plastic ID-1 card can be used as physical token ( something you have) that can be used in a two-factor authentication system.
Generation of one-time passwords
Using the PassWindow system, a challenge pattern containing a string of digits and/or letters can be generated for a specific key pattern by an authentication server with knowledge of the shared secret (the user's key pattern).
The user decodes the sequence of digits from the pattern using their PassWindow key and sends this as a response to the server's challenge. The correct response confirms that the client has physical access to the token.
These digits are then used as a one-time password.[1]
Mutual authentication
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication.
Passive mutual authentication with PassWindow
In the simplest case, the client verifies that the server from which they are receiving their challenge by confirming that the solution is intelligible when they superimpose their key over the challenge. An unintelligible or corrupted challenge alerts the user that they may not be connected to the server they intend.[1]
Transaction verification
In addition, a known string of digits may be encoded into the challenge at the time of generation to provide additional server-to-client authentication to prevent the replay of stored challenges. Known as a verification code, examples include destination account numbers or transaction totals when used to secure online monetary transactions. This use is often referred to as transaction verification and forms the primary basis for PassWindow's exceptional resilience to Man-in-the-middle (MITM) and Man-in-the-browser (MITB) attacks.[1]
History
Matt Walker, Australian, invented the original PassWindow concept after many years researching various online two-factor authentication systems. The high cost of many electronic token systems, as well as their inability to protect against an ever-increasing array of complex attacks, forced Matthew to completely rethink the way modern authentication is conducted.
During the intervening period, while the security world looked for ever more complex and high-tech solutions, which it was apparent were increasingly vulnerable to ever more complex and high tech attacks, Matthew decided to take the opposite approach and look for an authentication solution with pure simplicity at its core.
In the process, he discovered an entirely new secure method in online security.[2]
Media appearances
- PassWindow first appeared in the media in May 2009 as a 'Cheap solution for security' on account of its ability to securely produce one-time passwords without the need for electronics to be deployed to its end users.[3]
- PassWindow's inventor, Matthew Walker, appeared on the Australian television program The New Inventors in June 2009.[4]
- PassWindow has since appeared several times in the media,[5][6] as well as being the subject of a white paper written by VEST corporation, France.[1]
- PassWindow has been selected as a finalist in The Wall Street Journal 2010 Asian Innovation Awards.[7]
- PassWindow has been featured in The Wall Street Journal as "A New Way to Outwit Internet Fraudsters".[8]
References
- ^ a b c d e f g S. O'Neil and P. Lock (2009), "PassWindow: A New Solution to Providing Second Factor Authentication". Retrieved on 2010-05-01.
- ^ About PassWindow
- ^ K. Dearne, "Cheap solution for security", The Australian, 26 May 2009.
- ^ The New Inventors, Episode 24, 2009. Presenter: James O'Loghlin. The New Inventors, ABC1, Brisbane, Australia, 2009-06-15.
- ^ Walker, Matthew. "Low-Cost Visual Authentication System - PassWindow". Interview with Desley Blanch. Innovations. ABC Radio Australia. 2009-10-02. Retrieved on 2010-05-02.
- ^ Kassner, Michael (31 August 2009). "PassWindow: A brand new Web-site authentication process". Tech Republic. Retrieved on 2010-05-02.
- ^ The Wall Street Journal, "2010 Asian Innovation Awards". Retrieved on 2010-06-30.
- ^ The Wall Street Journal, "A New Way to Outwit Internet Fraudsters". Retrieved on 2010-07-14.
External links
- The official PassWindow website
- A white paper analysis of the PassWindow method produced by Vest Corporation, France
- An evaluation of hypothetical attacks against the PassWindow authentication method produced by M. Slyman, G. Nicolae, S. O'Neil, B. Van Der Merwe