Simple and secure online authentication

PassWindow is:

• An incredibly simple, yet also extremely secure dynamic password solution
• Free from client hardware or software, requires no batteries and cannot malfunction
• Able to securely authenticate the client to the server AND the server to the client
• Able to transmit transaction information securely to the user through the visual challenge
• Secure against trojans, viruses, phishing, keyloggers, social engineering, and MITM attacks

PassWindow has been evaluated in an independent whitepaper analysis.

How does it work?

• PassWindow is a unique key pattern printed on a transparent section of a standard identity card.
• Users simply hold their card over a generated pattern image on any display to reveal a new series of digits – a single-use password.
• Users enter this new unique password to authenticate securely.
• Unusual monitor sizes are easily handled with a simple adjustment of the challenge image which is then saved to a cookie or user database. Try it yourself!

Potential applications

PassWindow can be used whenever strong, cost effective, and secure authentication is required:

• Online banking; online services; online shopping
• User logins; online membership
• Document authentication
• Product packaging for customer authentication
• Payment cards, identity cards, medicare cards, company cards, club cards, gift cards, prize cards...

We are looking for initial online services to launch in 2010

Security benefits

Works easily on any display

• Flexible dynamic passwords, secure against keylogger, dictionary and over the shoulder attacks
• No password memorization needed by the user
• Simple to integrate with any online membership system
• Usable on ubiquitous internet connected displays, PC, laptop, mobiles etc – no remote hardware or specialized software required. Works on any Operating system and all local browsers.
• Incredibly flexible security and usability – there are a myriad of possible implementation styles to suite your security needs
• Easy to scale password strength on the fly by modifying screen pattern complexity and basic user method without reissuing user key patterns
• Highly resistant to social engineering attacks – the visual aspect to the key pattern makes it difficult or impossible for users to compromise the key pattern to an attacker online or over a telephone in comparison to token PINs, printed or memorized passwords.
• Phishing deterrent: Regain email communication with your customers by including a PassWindow pattern image that will authenticate the email message specifically for that customer. Phishing attackers are unable to generate these legitimate challenge patterns.
• More secure than electronic tokens, able to embed specific transaction types and values into challenge images alerting users to a man-in-the-middle attack
• Elimate dangerous USB ports from your business enviroment, USB ports are increasingly used as a network attack vector as well as enabling information theft.
• No need to redirect the user away from your website for third-party verification – PassWindow challenge patterns are delivered securely over SSL, directly from your own web server
• Easily works alongside existing ID card technologies, such as RFID, smartcards, and magnetic strips.
• Limited viewable angle of the code protects against third party visual observation
• A tinted or transreflective optical coating over the pattern obscures discrete third-party photography of the key pattern
• Excellent fallback protection for security questions, which are currently the weakest security link in many authentication systems
• Extremely cheap dynamic password system – standard PVC ID cards with transparent sections can cost less than a few cents per user. Integration costs into existing card based systems are practically zero
• Cheap and simple to deploy or replace remote user keys in person, through regular mail or electronically using a print and stick system. User cards can be delivered by regular envelope for a fraction of the cost of delivering a bulky device package. Unlike the case with OTP hardware tokens or biometrics, it is cheap and simple to replace the user's lost or compromised key.
• Extremely durable, no flexing problems with internal electronics, waterproof and pressure proof.
• Unlimited working life – lifespan is not limited to battery life.
• No expensive dedicated electronic hardware tokens required and protection against the myriad of associated electronic vulnerabilities
• The user's thin card is easily kept safely within a regular wallet or purse along with their regular identification cards – a far more difficult target for casual interception than if it were loose or dangling on a keychain in public view
• Unlike SMS-based authentication, your codes are delivered securely over SSL directly to your client, not over unreliable third party telecommunications networks
• With most software and hardware authentication systems being beyond the understanding of the average user, authentication acceptance and online trust levels are low – PassWindow provides a security mechanism that even children can easily understand
• Learn more about PassWindow's security features...

Come and visit the PassWindow public display from the 19th - 23rd April in Singapore at the international Cards Asia Conference