However, WWPass has introduced a solution that can make authentication a little easier by getting closer to a single sign-on, where a user does not have to remember many user IDs and passwords. More importantly, it lessens the risk of security exposure with its attendant negative consequences.
The WWPass authentication process is straightforward: When accessing a Web site that normally requires a username/password combination for authentication, the visitor uses a WWPass PassKey, which in a hardware instantiation may take different form factors, such as a USB-enabled dongle or a smartcard, as the credential that identifies him or her to the Web server. Note that the Website has to have software that makes it WWPass-enabled.
Behind the scenes, however, a sophisticated authentication management process takes place. A multi-lateral authentication process takes place among the authentication-managing application on the Web server and WWPass data storage, which has the necessary application-specific information, but does not store user identities or associate users with their applications (a security precaution that is a must) and the user. Hence, WWPass acts as the intermediary between both the Web server and the user. The Web server may also require a password, but while the user supplies a password common to all applications and data to WWPass, WWPass intercedes with the Web server to provide an application-specific password or other more application-relevant credential (e.g. – an account number of software license expiration date).
WWPass’ business model derives its revenues from application or data providers that use the company’s authentication solution. The service provider is charged according to the number of authentications with WWPass technology. End users do not pay (unless the service provider passes along the charges), and a service provider may very well provide a PassKey for free. Note that one PassKey is all that is needed for multiple applications. Think of the WWPass PassKey as user authentication for the masses across an almost limitless number of applications, whereas RSA SecureID is focused on user authentication for enterprise applications.
Three factors for authentication currently exist: 1) something that a user knows, such as a password or PIN number, 2) something that a user possesses, such as a smartcard, ATM card or password token, and 3) something a user is, which is typically based upon biometrics, such as a retinal scan or a fingerprint. A multi-factor authentication approach is recommended, but, practically speaking, two factors — something that a user knows and something that a user has — are likely to be the two that most companies utilize. Although a biometric approach (such as a fingerprint scanner) can be useful if multiple people access the same biometric device (such as entry to a data center or laboratory), that approach has, so far at least, not received a lot of traction among individuals. Note that a combination of username/password is still considered one factor.
The security gurus and powers-that-be have decreed multi-factor to be essential to maximize data privacy and security. A simple illustration might suffice. Would you want to be able to access money at an ATM using only your card (which might be stolen) or by entering your PIN alone (perhaps with account number or other information)? The answer should be a resounding, “No!” Having both factors is critical. Even while nothing is perfect — cards and PIN numbers have obviously been stolen — a two-factor authentication is still far more secure than just one factor. If lost or stolen, that fact can be reported, the old credential deactivated, and a new credential put in place.