ATM-like cryptology aims to banish IDs and passwords

The multi-factor authentication system, aimed at developers and service providers to build on, is based on elliptic curve cryptography, and can be applied to web, cloud and mobile applications. CertiVox said it will reduce authentication costs by up to 93% and banish username and passwords forever.

The M-Pin System essentially makes any HTML5 browser into a strong authentication client that authenticates to the open-source M-Pin Server, which only stores one leak-proof cryptographic key, thus replacing the username/password database. If the key is compromised somehow, it reveals no details about end-users on the system.

The M-Pin solution takes as its blueprint the security methods employed in an ATM: enterprises recognize users through a cryptographic key agreement, which users participate in by using a physical token saved in their browser (like the magnetic strip on a debit/credit card) and a PIN number (which end-users choose and memorize). Just like in an ATM machine, the pin and data on the magnetic stripe (i.e., data in the browser) are combined locally to create a parameter, which is used to drive a cryptographic key agreement protocol, vetting the user’s identity with strong cryptography.

“M-Pin is a game changer in the authentication industry, a true alternative to username/password authentication that scales for the web,” said Brian Spector, CEO at CertiVox. “M-Pin is an open-source multi-factor authentication system that can be deployed in minutes at a fraction of the cost of existing solutions while offering a degree of security greater than many existing solutions that cost an order of magnitude more. M-Pin is the only open source authentication solution that removes the threat vulnerability of username/passwords at the client and server level and replaces it with two-factor authentication based on a strong cryptographic protocol built for tomorrow’s internet.”

CertiVox has released the free Linux based M-Pin Authentication Server, HTML5 web and M-Pin Relying Party Libraries for developers so M-Pin Strong Authentication can be integrated with any web application, single sign-on (SSO) or identity management (IdM) solution. Developers and service providers can have those applications in use in less than an hour by connecting to an M-Pin Server instance. Additionally, the M-Pin C Client Library can be used to embed the M-Pin Protocol in any software application, and enables multiple factors of authentication to be utilized, such as biometrics.

Parallels announced that it would use M-Pin as the default strong authentication provider for Parallels Automation. “CertiVox M-Pin technology enables Parallels service providers to offer secure multi-factor authentication and credential protection for cloud service offerings,” said Alex Danyluk, senior director of automation marketing at Parallels. “This helps enable SMBs to have secure access to a wide variety of APS-enabled independent software vendors.”

What’s hot on Infosecurity Magazine?