Image-Based Authentication from Confident Technologies


Published on

Confident Technologies provide out-of-band, multifactor authentication using a highly secure and easy-to-use, image-based approach. Learn more at

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Source: 2010 Data Breach Report by Verizon and US Secret Service
  • Source:
  • Image-based authentication from Confident Technologies is both highly secure and easy to use. It creates one-time passwords or PINs each time authentication is needed, yet it is easy and intuitive to use. The pictures, their location on the display, and the alphanumeric characters overlaid on the images are different each time. In this way, it creates a unique, one-time password (OTP) every time. However, the user’s categories always remain the same. They simply look for the pictures that fit their secret categories. Each ImageShield has a unique ID and a limited life span so it can only be used once.
  • Confident Technologies generates a one-time authentication code (a.k.a. a one-time password), splits the code apart and assigns pieces of the code to pictures that match the user’s secret categories. “Dummy” pieces of code are randomly assigned to other random pictures. An ImageShield is displayed on the user’s smartphone or mobile device – this can be done using a web browser (zero-footprint deployment) or using an application/soft token on the smartphone. The user taps the pictures that fit their secret categories, thus reassembling the authentication code. The code assembled by the user is sent back to Confident Technologies to be verified. Only if they identified the correct pictures in the correct order will the code be reassembled correctly and authentication is confirmed. The entire process remains out-of-band from the web session.
  • Many common two-factor solutions send the user a one-time password or PIN as a text message. If someone else is in possession of the phone, or using SMS-forwarding technology (also known as a Zeus-in-the-mobile attack), they can easily read the text and authenticate their own fraudulent transactions. Confident Multifactor Authentication is more secure because it requires the user to apply a piece of secret knowledge on the second factor device itself. This makes it a multi-layer, multifactor solution. The user simply taps the images that fit their secret categories on the smartphone. The entire authentication process remains completely out-of-band and the one-time password or PIN is essentially “hidden in plain sight.” Even if someone else gained physical or virtual possession of your phone, they would not be able to authenticate because they would not know the correct images to identify. It can provide behavioral biometrics and other data for adaptive, risk-based authentication and decision making.
  • During out-of-band authentication, a one-time authentication code or single use transaction authentication number (mTAN) is generated. Pieces of the code are “hidden behind” the pictures that are associated with the user’s secret categories. “Dummy” pieces of code are randomly associated with the other random pictures on the ImageShield. When the user identifies the pictures that fit their secret categories, they are essentially reassembling the one-time authentication code. The application on the phone communicates with the Confident Technologies server and we check to see if the user reassembled the one-time code correctly. Only if the user knows their secret categories will they be able to reassemble the correct code and authenticate.
  • Using the zero-footprint deployment model, the user is sent a text message with a secure link. They open the link in the mobile phone’s web browser to see the ImageShield and simply tap the pictures that fit their secret categories to authenticate. Because it uses a mobile browser, Confident Technologies can compare the IP address of the computer used for the web session with the IP address of the mobile browser to make sure that they are geographically close – this helps ensures that the text message was not re-routed to a different phone.
  • If a hacker or a bot attempts to access the account by guessing login credentials or using a brute-force attack, and selects an image that fits one of the user’s “no pass” categories, Confident KillSwitch can automatically alert the business or account owner,lock all access to the account, or present increasingly difficult ImageShield challenges while gathering important information including the IP address, geographic location and behavioral biometrics of the would-be attacker. Confident KillSwitch can positively distinguish between a legitimate user who may have mistakenly identified one wrong image and a fraudulent authentication attempt. With each additional authentication attempt, it actually makes it less likely for an attacker to be able to correctly guess the secret and more likely for the attacker to be caught.
  • Image-Based Authentication from Confident Technologies

    1. 1. Intuitive and Secure, Image-Based Authentication<br />
    2. 2. Poor Authentication on the Web<br />Website security is the most vulnerable area of IT security<br /><ul><li>96%of all breached records were accessed from outside, often by using stolen login credentials or keyloggers that capture passwords
    3. 3. Passwords are poor security:
    4. 4. People have too many to remember, choose weak passwords, use the same password on multiple sites
    5. 5. Vulnerable to key loggers, brute force attacks, dictionary attacks, etc.
    6. 6. Login credentials leaked from one site are used to access other sites
    7. 7. Challenge Questions are poor security
    8. 8. Tokens, Smart Cards, Biometrics are expensive, not practical for public-facing websites</li></ul>Company Confidential Information<br />
    9. 9. How to Balance Security & Usability<br />The need for strong security that is easy-to-use<br /><ul><li>Businesses sacrifice security in an effort to create a “frictionless” experience for online customers.
    10. 10. This leads to online fraud and identity theft ($221 Billion in fraud last year alone!), data breaches and other security compromises.
    11. 11. Businesses struggle to enforce strong authentication without burdening customers. </li></ul>These issues are compounding as people do more online interactions using mobile devices. <br />Company Confidential Information<br />
    12. 12. Image-Based Authentication<br />Confident ImageShield™ <br />Image-based authentication that creates a one-time password<br />The first time a user enrolls, they select a few categories to remember<br />When authentication is needed, they are presented with a grid of random images<br />They identify the images that fit their secret categories and enter the corresponding letters as their <br />one-time password or PIN <br />The pictures, their locations and the letters are different every time<br /> – creating a unique authentication code each time. <br />Company Confidential Information<br />
    13. 13. Two Factor, Mobile Authentication<br />Confident Multifactor Authentication™ <br />A one-time password (OTP) is encrypted within an ImageShield. <br />ImageShield is displayed on the user’s mobile device, they identify the pictures that fit their secret categories – thus reassembling the OTP<br />Reassembled OTP is submitted to be verified<br />Only if the user identified the correct images will they have the correct OTP <br />Web page proceeds automatically if authentication is correct – the entire process remains out-of-band from the web session<br />Company Confidential Information<br />
    14. 14. Two Factor, Mobile Authentication<br />Confident Multifactor Authentication™ <br /><ul><li>Generates a one-time password, hidden from view
    15. 15. User applies a “shared secret” on the second factor
    16. 16. A multilayered, multifactor solution
    17. 17. Only the legitimate user is able to use the second factor
    18. 18. Secure against Zeus-in-the-mobile,SMS-forwarding and keylogging attacks
    19. 19. Secure if someone else has possession of your mobile device (loss or theft)
    20. 20. Entirely out-of-band</li></ul>Company Confidential Information<br />
    21. 21. Two-Factor Authentication<br />Application on the Smartphone<br />Push technology triggers an app on the phone to display the ImageShield<br />User taps the images that fit their secret categories<br />Authentication remains entirely out-of-band<br />Company Confidential Information<br />
    22. 22. Two-Factor Authentication<br />Zero-Footprint Deployment<br />An SMS message is sent to the user’s phone<br />The ImageShield is opened in the mobile browser<br />The user taps the pictures that fit their secret categories <br />The authentication is confirmed. The entire process remains out-of-band.<br />Company Confidential Information<br />
    23. 23. Confident KillSwitchTM<br /><ul><li>In addition to choosing their secret categories for authentication, the user chooses one or more “No Pass” categories
    24. 24. Positively identifies hackers in the act of trying to break into an account</li></ul>X<br /><ul><li>Captures behavioral biometrics, IP address, geographic information, actionable data so business can take immediate proactive measures against the attacker, lock the account, send alerts and more</li></ul>X<br /><ul><li>Can alert the business to a wide-scale, brute-force attack on the business in real-time </li></li></ul><li>Intuitive and Secure, Image-Based Authentication<br />Thank You!<br /><br />Try the Live Demos at:<br />Watch Our Videos at<br />