WWPass: Only The Just May Pass the Authentication Test

Security has many facets, but the one that is most familiar is the username/password authentication process that allows users to login to a protected application or Website. For some, that may simply seem to be an inconvenience, but the authentication process helps reduce possible security exposures.

However, WWPass has introduced a solution that can make authentication a little easier by getting closer to a single sign-on, where a user does not have to remember many user IDs and passwords. More importantly, it lessens the risk of security exposure with its attendant negative consequences.

The WWPass authentication process is straightforward: When accessing a Web site that normally requires a username/password combination for authentication, the visitor uses a WWPass PassKey, which in a hardware instantiation may take different form factors, such as a USB-enabled dongle or a smartcard, as the credential that identifies him or her to the Web server. Note that the Website has to have software that makes it WWPass-enabled.

Behind the scenes, however, a sophisticated authentication management process takes place. A multi-lateral authentication process takes place among the authentication-managing application on the Web server and WWPass data storage, which has the necessary application-specific information, but does not store user identities or associate users with their applications (a security precaution that is a must) and the user. Hence, WWPass acts as the intermediary between both the Web server and the user. The Web server may also require a password, but while the user supplies a password common to all applications and data to WWPass, WWPass intercedes with the Web server to provide an application-specific password or other more application-relevant credential (e.g. – an account number of software license expiration date).

WWPass’ business model derives its revenues from application or data providers that use the company’s authentication solution. The service provider is charged according to the number of authentications with WWPass technology. End users do not pay (unless the service provider passes along the charges), and a service provider may very well provide a PassKey for free. Note that one PassKey is all that is needed for multiple applications. Think of the WWPass PassKey as user authentication for the masses across an almost limitless number of applications, whereas RSA SecureID is focused on user authentication for enterprise applications.

Three factors for authentication currently exist: 1) something that a user knows, such as a password or PIN number, 2) something that a user possesses, such as a smartcard, ATM card or password token, and 3) something a user is, which is typically based upon biometrics, such as a retinal scan or a fingerprint. A multi-factor authentication approach is recommended, but, practically speaking, two factors — something that a user knows and something that a user has — are likely to be the two that most companies utilize. Although a biometric approach (such as a fingerprint scanner) can be useful if multiple people access the same biometric device (such as entry to a data center or laboratory), that approach has, so far at least, not received a lot of traction among individuals. Note that a combination of username/password is still considered one factor.

The security gurus and powers-that-be have decreed multi-factor to be essential to maximize data privacy and security. A simple illustration might suffice. Would you want to be able to access money at an ATM using only your card (which might be stolen) or by entering your PIN alone (perhaps with account number or other information)? The answer should be a resounding, “No!” Having both factors is critical. Even while nothing is perfect — cards and PIN numbers have obviously been stolen — a two-factor authentication is still far more secure than just one factor. If lost or stolen, that fact can be reported, the old credential deactivated, and a new credential put in place.

So the multi-factor authentication process is more secure, but why is that important? Now, for some sites a compromised username/password may have little if any consequences, say for content that is free, but the site wants to collect subscriber information for marketing purposes. However, that is not the case for many sites, where the consequences of a security breach for both individuals and organizations could be quite severe. For example, individuals may have on file credit card information that could be used for nefarious purposes, such as unauthorized purchases; businesses could suffer loss or exposure of confidential information, such as personally identifiable information for which the consequences could be severe economic and/or legal penalties.

Answering some questions about WWPass and where it plays may help explain the company and its solutions:

1-What are the chances of WWPass being successful? Every crystal ball is cloudy and so all predictions involve uncertainty. However, WWPass could very well succeed; their key is getting the large domino (i.e., well-known Websites) service providers to buy in.

2-Will this achieve the dream of a single sign-on? The answer is probably no. If you have innumerable requirements to use username/password authentication, many smaller players who do not see any significant consequences from a compromised username/password may not have any compelling reason to take the extra step. However, if the sites that you visit most frequently and/or have the greatest sensitivity to potential breaches, your convenience may have improved only somewhat, but your peace of mind a great deal.

3-Will my authentication information be safe with WWPass? WWPass acts as an intermediary and uses a sophisticated process called dispersed secure storage to ensure anonymity (your interactions are completely private), integrity (secure authentication process), robustness (encrypted user data is distributed in such a way to multiple sites that the failure of any one site cannot bring the system down), and safety (data is fragmented before distribution, so a breach of any WWPass would yield only an unusable data fragment).

4-What security problems does WWPass solve and what doesn’t it solve? WWPass is not all things to all men. It focuses on a key information and access management (IAM) issue, namely individual authentication, to be able to access and use applications and data, but it does not, and should not be expected to deal with all the rubric of security issues from misuse by authorized employees to compromised hardware. Other products deal with those facets of security.

Mesabi Musings: User authentication is only one of a large number of security issues that continue to challenge and plague enterprises today. However, it is one facet of security with which we are all intimately familiar. Unfortunately, the use of the what-we-know factor of authentication as the single factor is known to create a lot of exposure risk. Using a second factor of authentication — the something we have — in the form of a token, such as the WWPass PassKey, greatly reduces the exposure risk.

WWPass brings the convenience and security to user authentication that have been long been associated with the ATM two-factor authentication process, which requires both an ATM card and a PIN. WWPass hopes to bring ubiquitous (the preponderance of application and data service providers offer WWPass capabilities) and frictionless (almost unnoticeable to use) user authentication to replace the username/password paradigm. If they are successful, our lives will be a little easier and safer in our electronic transactions.

At the time of publication, WWPass is not a client of David Hill and the Mesabi Group.