2. Poor Authentication on the Web
Website and Mobile security are the most vulnerable area of IT security
• 96% of all breached records were accessed from outside, often by using
stolen login credentials or key loggers that capture passwords
• Passwords are poor security:
• People have too many to remember, choose
weak passwords, use the same password on
multiple sites
• Vulnerable to key loggers, brute force attacks,
dictionary attacks, etc.
• Login credentials leaked from one site are used to access other sites
• Challenge Questions are poor security
• Tokens, Smart Cards, Biometrics are expensive, not practical for public-
facing websites
Company Confidential Information
3. How to Balance Security & Usability
The need for strong security that is easy-to-use
• Businesses sacrifice security in an effort to create a “frictionless”
experience for online customers.
• This leads to online fraud and identity theft
($221 Billion in fraud last year alone!), data
breaches and other security compromises.
• Businesses struggle to enforce strong authentication without
burdening customers.
These issues are compounding as people do more
online interactions using mobile devices.
Company Confidential Information
4. Image-Based Authentication
Image-based authentication that creates a one-time password
1. The first time a user registers with
a website or application they
select a few categories to
remember
2. Each time authentication is
needed, they are presented with a
grid of random images
3. The user identifies the images
that fit their categories and enters
the corresponding letters as their
one-time password or PIN
Company Confidential Information
5. Why Images Are Better
Easy to remember
o The human brain is better at remembering categories and images vs. strings of random
A/N characters and symbols.
o Independent study showed users were able to remember their image passwords with
100% success after 16 weeks. Only 40% of users remembered their text passwords.
o Create a One-Time Password with every authentication vs. static A/N or site key image
Guided Recall
• When the user sees the Image Grid, the pictures
help trigger their memory of which categories they
chose.
Device independent UI
• Deploy on multiple devices PC, tablets, and
Smart phones
• Very easy to use – click/tap
Company Confidential Information
7. Setup: User Selects 3 Categories
Images = Multifactor Authentication
Company Confidential Information
8. After Account is Setup: During User Login
Categories and Associated Images are displayed for selection
Company Confidential Information
9. User Selects Correct Images and Access to
Application is Granted
Secure User Access to Data Business Uses
Logins
- Replace passwords
- Strengthen weak
passwords
• Password reset
• Anti-Phishing
• Replace challenge
questions
Company Confidential Information
10. Two Factor, Mobile Authentication
• Most solutions send a one-time password as
a text message.
- If the phone is lost or stolen, any person can
read the text and authenticate a fraudulent
transaction.
• Multifactor Authentication is more secure
because it requires the user to authenticate
on the phone by identifying their secret
categories.
• This is an additional security and process
layer that ensures user authentication and
access to applications and data.
Company Confidential Information
11. KillSwitch Capability
• In addition to choosing their secret
categories for authentication, the
user may choose one or more “No
Pass” categories
• Sends automatic alerts or locks the
account if someone attempts to
break in and taps one of the “Kill
Switch” categories
• An offensive technique that stops
brute force attacks and can identify
IP addresses that are attempting
brute force attacks and hacking
Company Confidential Information
12. EXAMPLES
The pictures above represent examples of potential cross messaging. Wells Fargo
has not yet implemented this solution. Logos, messages and images are flexible
and can be customer defined.
Company Confidential Information
13. Image Based Security Statistics
Security Level 1: Safety Probability
Highlighted Example:
-For a 4x4 grid requiring 3 images the probability of breaking or guessing is 1:3,360
which provides a security level of 99.97023810%.
Company Confidential Information
14. Multifactor Imaged Based Authentication
adds to the security of your website and
mobile application
How To Make Mobile Apps Secure
Thank You
Company Confidential Information
15. Contact Information
Lee Mercado
Director, Technology Sales / HELM360
Phone: (858) 208-4140 | Cell: (603) 418-4584
13475 Danielson St, Suite 220 | Poway CA 92064
lee.mercado@helm360.com | www.helm360.com
Editor's Notes
Image-based authentication from Confident Technologies is both highly secure and easy to use. It creates one-time passwords or PINs each time authentication is needed, yet it is easy and intuitive to use.
When a user sees the ImageShield they recall the need to select their secret categories. A blank field for A/N provides no help or recall in the process.Sources: “Awase-e: photo-based user authentication system” by H. Koike, T. Takada and T. Onuki. “D´ej`a vu: a user study using images for authentication” by R. Dhamija and A. Perrig.
The mobile phone is often used as a second authentication factor during highly sensitive online transactions. However, most solutions send the user a one-time password or PIN as a text message. If someone else is in possession of the phone, or using SMS-forwarding technology (also known as a Zeus-in-the-mobile attack), they can easily read the text and authenticate their own fraudulent transactions. Confident Multifactor Authentication is more secure because it requires the user to apply a piece of secret knowledge on the second factor device itself. This makes it a multi-layer, multifactor solution. The user simply taps the images that fit their secret categories on the smartphone. The entire authentication process remains completely out-of-band and the one-time password or PIN is essentially “hidden in plain sight.” Even if someone else gained physical or virtual possession of your phone, they would not be able to authenticate because they would not know the correct images to identify.