PALO ALTO, Calif. -- PassMark Security announced the Internet's first two-factor authentication system that requires no hardware tokens. The capabilities are delivered in a new version of the PassMark Two-Factor Two-Way System that commenced live commercial production today. Financial institutions and ecommerce sites can now provide strong two-factor authentication, without requiring their customers to carry any new hardware or install any new software.
The recent surge of phishing, spoofing, spyware, keylogging and other Internet attacks have rendered passwords insufficient for the protection of online financial transactions. The FDIC's recent study, "Putting an End to Account-Hijacking Identity Theft," recommends that banks and financial institutions upgrade "existing password-based single-factor customer authentication systems to two-factor authentication."
As the name implies, two-factor authentication adds a second security method, typically "something you have," to the standard practice of requiring a password to log in to a Web site. Conventional two-factor systems require the user to carry a smart card, key fob, USB dongle or other special hardware, making them impractical for mass-market consumer Web sites. PassMark achieves two-factor authentication without new hardware by securely identifying the user's existing computer hardware as the second factor. It does this by marking each computer with a globally unique Device ID, supplemented with network and device forensics that "fingerprints" the PCs and network connections used by customers to access the bank's systems.
Uniquely, the PassMark system also provides two-way authentication. Users have always had to authenticate themselves to the site, but now - in an age of phishing and spoofing -- the site must also authenticate itself to its users. PassMark achieves this by assigning a secret image -- a PassMark -- to each user and displaying their secret PassMark to each user upon login to the Web site and in outbound emails from the Web site.
According to the FDIC report, "Fraudsters are taking advantage of the reliance on single factor authentication for remote access to online banking, and the lack of email and Web site authentication, to perpetrate account hijacking." The PassMark system solves both of these problems, and provides secure authentication in a low-cost and scalable manner.
According to a Gartner Research report issued in January 2005, "U.S. consumers who transact online would transact even more if their service providers offered them the choice of more security," wrote Avivah Litan, vice president and research director, Gartner Inc. "Two factor authentication with no hardware can deliver both the security people need and the simplicity people want," she said.
"The PassMark system is simple to deploy to very large customer bases, because it's easy for consumers to use," said Bill Harris, PassMark's chairman. "The two-factor component is completely invisible to the customer, and the two-way component is quick and visual. Users actually say PassMarks are fun." The PassMark system is live today at the Stanford Federal Credit Union (an innovative pioneer, which was also the first financial institution to do a financial transaction over the Internet), and currently being implemented or tested at a number of leading financial institutions.