An Australian inventor may have found a secure way to log into Web sites. On top of that it's cheap and simple to use.
IT consultant, Matthew Walker created PassWindow. A visual-authentication system that uses pattern-matching techniques to provide verification every time a person attempts to log on a Web site.Walker's motivation
About eight years ago, Walker himself fell victim to on-line credit fraud and decided to do something about it. After having the "eureka moment" we all wish for, Walker spent three years experimenting with pattern analysis and developing the technology for PassWindow. Ultimately, Walker has received several patents for his effort. With everything finally in order, Walker is now free to talk about his invention.
I was fortunate to have a conversation with Mr. Walker, during which he explained how PassWindow worked. While we were talking, I kept trying to figure out where I have seen this before. Finally, I realized where.My digital clock
PassWindow reminds me of a digital clock with some of the number segments missing. Here's how Walker describes it:
"By holding a printed unique segment key pattern on a transparent plastic card over a synchronized screen pattern image, any number of unique visual dynamic password combinations can be created each time authentication is required."
The following slide shows what correctly aligning the two patterns looks like, courtesy of Matthew Walker:
There are three components that make up PassWindow:
- Key-pattern generator: Software installed on the Web server that generates the unique key pattern given to each user.
- Challenge-pattern generator: Software also resident on the Web server that generates the dynamic challenge patterns users will see when they initially log on.
- Pattern card: Is the device (universal plastic card) with the user's unique key pattern printed on it.
The simplest way to explain how PassWindow works is by example. It's Fall in America, and Sue is starting university. Sue is issued a username and password for her confidential Web page on the university Web server. Sue is also issued a university identification card.
The card is a normal ID card with the requisite magnetic strip and embossed information. What's new is the transparent window that contains Sue's specific key pattern for PassWindow.
Sue gets home and wants to make sure her class schedule doesn't interfere with work. Let's follow Sue as she tries to log on:
- Sue brings up the university's Web site, entering her username and password.
- The Web server recognizes the username/password combination and asks the challenge-pattern generator to create a one-time pattern specific for this log in attempt.
- That pattern is sent to Sue's Web browser and displayed in a prominent location.
- Sue then aligns her ID card over the displayed pattern and visually recognizes a number.
- Sue types the number in the verification box and gains entry to her Web page.
The following slide is a graphic explanation of Sue's log in, courtesy of Matthew Walker:
PassWindow is a true multi-factor authentication system, using something you know and something you have. I compare it to SecureID tokens, but simpler to use, cheaper to make, and easier to carry. Walker lists over 20 reasons why PassWindow has an edge on other authentication systems. Here are some of them:
- Unlimited working life, lifespan is not limited to battery life.
- No expensive dedicated electronic hardware tokens and protection against the myriad of associated electronic vulnerabilities.
- Unlike SMS-based authentication, the codes are delivered securely over SSL directly to the client, not over unreliable third party telecommunications networks. (GSM is cracked)
- Phishing deterrent, regain e-mail communication with your customers by including a PassWindow pattern image which will authenticate the email message specifically to that customer. Phishing attackers are unable to generate these legitimate challenge patterns.
I did have some questions I asked Walker to make sure I understood the technology:
1. What kind of printer is required to make the cards? How stable is the ink?
"Generally I imagine the PassWindow will be incorporated into existing card systems printed with regular card printers, $500-$5000.
However for cheap simple implementations it can be printed onto transparent stickers with a regular printer and stuck onto a more stable transparent surface or even the corner of your screen."
2. How does the user initiate the authentication? Is it by entering a user name at the Web site? Your Web site does not clearly explain this.
"Yes it would be used in combination with existing username and password systems or at the very least a username. I envision it will be incorporated alongside other authentication mechanisms however it could work on its own for users who don't want to memorize anything."
3. If I understand, shoulder surfing is not an issue, because the number created is a one-time event. Is that correct?
"Yes you are correct, however it's actually difficult to shoulder surf PassWindow. The slight distance between the card pattern and the on-screen pixels creates a limited viewing angle. The shoulder surfer would need to be directly behind your head.
In addition, the pattern card could have a tint printed around the pattern as shown on my security page. This is simply a grey background on the key-pattern image, which works well against someone trying to capture the key pattern."
4. It seems to me that PassWindow would be susceptible to key loggers and screen-capture applications?
"Apart from the dynamic aspect of the password, the character locations randomly jump around inside a larger segmented matrix pattern. Which means even with screen capture and key logger applications secretly installed on a victim's computer, the attacker won't be able to intercept enough data to calculate the key pattern before the key pattern is renewed with a new annual card."What's next
Walker already has been awarded the People's Choice award by the Australian television show The New Inventors. Walker is also currently negotiating with several credit-card firms including CARDPro.
It appears that PassWindow's uses are only limited by one's imagination. Walker mentioned that a respected micro-credit foundation is looking to use PassWindow, but on paper:
"A micro-credit foundation working in 3rd world countries wants to use PassWindow on paper ledgers to authenticate transactions with the villagers who have loans. The people will simply hold their card over the printed pattern on the paper and write down the authentication code, which is then confirmed back at the branch office.
Later, they will migrate the information to digital databases when the Internet becomes available. In their current conditions all electronic-based solutions are impossible, from a cost and implementation point of view."Final thoughts
"Outside the box" thinking always impresses me and PassWindow exemplifies that. It's not hard to see where our on-line security would benefit from this technology.