2. Who We Are
Image-based authentication technology for websites,
web and mobile applications, and mobile devices.
• Multifactor, image-based authentication that’s easy to use:
o One-time passwords
o Two-factor authentication
o Authentication for mobile apps, mobile websites & mobile payments
• Hundreds of websites and organizations rely on Confident Technologies:
o10 customers in the financial services sector, including Charles Schwab
Retirement Services
•Thousands of individual consumers use our online password manager for single
sign-on and OpenID login
• 15 independent patent filings for image-based authentication, image-based
password management, use of authentication images for advertising and more
Company Confidential Information
3. The Problem with Mobile Authentication
Difficult, Not Secure, Slow
• Typing usernames & passwords is too difficult on
smartphones and tablets
• Often requires switching among multiple soft
keyboards
• 60% of smartphone owners say they wish there
were a better way to authenticate for mobile apps
• Passwords and PINs are poor security:
• Too many to remember, people choose weak ones, use the same one on
multiple accounts and applications
• Vulnerable to key loggers
Company Confidential Information
4. How to Balance Security & Usability
• Businesses sacrifice security in an effort to create a “frictionless” experience
• This leads to fraud and identity theft ($221 Billion in fraud last year alone!)
• Businesses struggle to enforce strong authentication without burdening
customers.
• 84% of smartphone owners have struggled with
mobile transactions
• 43% said a negative experience would cause
them to abandon a mobile transactions
According to experts at the 2011 CTIA Wireless conference:
“Mobile Authentication Will Be More Revolutionary Than
Mobile Commerce Transactions”
Company Confidential Information
5. Image-Based Authentication
Confident ImageShield™
Image-based authentication that creates a one-time password
1. The first time a user enrolls, they
select a few categories to remember
2. When authentication is needed,
they are presented with a grid of
random images
3. They identify the images that fit
their secret categories and enter the
corresponding letters as their
one-time password or PIN
The pictures, their locations and the letters are different every time
– creating a unique authentication code each time.
Company Confidential Information
6. Image-Based Authentication
Confident Mobile Authentication
Image-based authentication can be used to create
one-time passwords and strong authentication for:
• Logging in to mobile apps and mobile
websites
• Approving mobile payments or
transactions
• Device lock/unlock
Easier on users
More secure (creates one-time passwords)
Faster & quicker on mobile devices than typing
passwords
Company Confidential Information
7. Two Factor, Mobile Authentication
Confident Multifactor Authentication™
1. A one-time password (OTP) is encrypted
within an ImageShield.
2. ImageShield is displayed on the user’s mobile
device, they identify the pictures that fit their
secret categories – thus reassembling the OTP
3. Reassembled OTP is submitted to be verified
4. Only if the user identified the correct images
will they have the correct OTP
5. Web page proceeds automatically if
authentication is correct – the entire process
remains out-of-band from the web session
Company Confidential Information
8. Two Factor, Mobile Authentication
Confident Multifactor Authentication™
Generates a one-time password, hidden from view
User applies a “shared secret” on the second factor
A multilayered, multifactor solution
Only the legitimate user is able to use the second
factor
Secure against Zeus-in-the-mobile,
SMS-forwarding and keylogging attacks
Secure if someone else has possession of your
mobile device (loss or theft)
Entirely out-of-band
Company Confidential Information
9. Confident KillSwitchTM
In addition to choosing their secret categories for authentication, the
user chooses one or more “No Pass” categories
Positively identifies hackers in the act
of trying to break into an account
Captures behavioral biometrics, IP
address, geographic information,
actionable data so business can take
immediate proactive measures
against the attacker, lock the account,
send alerts and more
Can alert the business to a wide-
scale, brute-force attack on the
business in real-time
10. Intuitive and Secure, Image-Based
Authentication
Thank You!
www.ConfidentTechnologies.com
Try the Live Demos at: www.ConfidentTechnologies.com/demos
Watch Our Videos at www.Youtube.com/ConfidentTech
Editor's Notes
Typing usernames and passwords on mobile devices is too cumbersome. Whether logging in to mobile apps and mobile websites, approving mobile transactions, or verifying mobile payments, it’s simply too difficult. “Strong” passwords (consisting of upper and lower case letters, numbers and symbols) are even more difficult to type because they involve switching back and forth between multiple soft keyboards on the touchscreen. Source: Mobile (In)Security Survey 2011, can be downloaded at www.confidenttechnologies.com/survey
The inconvenience and security issues of traditional authentication stunt the growth of mobile commerce, mobile payments and mobile bankingSources:http://mashable.com/2011/01/29/identity-theft-infographic http://www.tealeaf.com/news/news-releases/2011/Ten-Million-UK-Consumers-Using-Mobile-Commerce.phphttp://www.mobilemarketer.com/cms/news/commerce/11217.html
Image-based authentication from Confident Technologies is both highly secure and easy to use. It creates one-time passwords or PINs each time authentication is needed, yet it is easy and intuitive to use. The pictures, their location on the display, and the alphanumeric characters overlaid on the images are different each time. In this way, it creates a unique, one-time password (OTP) every time. However, the user’s categories always remain the same. They simply look for the pictures that fit their secret categories. Each ImageShield has a unique ID and a limited life span so it can only be used once.
Confident Technologies generates a one-time authentication code (a.k.a. a one-time password), splits the code apart and assigns pieces of the code to pictures that match the user’s secret categories. “Dummy” pieces of code are randomly assigned to other random pictures. An ImageShield is displayed on the user’s smartphone or mobile device – this can be done using a web browser (zero-footprint deployment) or using an application/soft token on the smartphone. The user taps the pictures that fit their secret categories, thus reassembling the authentication code. The code assembled by the user is sent back to Confident Technologies to be verified. Only if they identified the correct pictures in the correct order will the code be reassembled correctly and authentication is confirmed. The entire process remains out-of-band from the web session.
Many common two-factor solutions send the user a one-time password or PIN as a text message. If someone else is in possession of the phone, or using SMS-forwarding technology (also known as a Zeus-in-the-mobile attack), they can easily read the text and authenticate their own fraudulent transactions. Confident Multifactor Authentication is more secure because it requires the user to apply a piece of secret knowledge on the second factor device itself. This makes it a multi-layer, multifactor solution. The user simply taps the images that fit their secret categories on the smartphone. The entire authentication process remains completely out-of-band and the one-time password or PIN is essentially “hidden in plain sight.” Even if someone else gained physical or virtual possession of your phone, they would not be able to authenticate because they would not know the correct images to identify. It can provide behavioral biometrics and other data for adaptive, risk-based authentication and decision making.
If a hacker or a bot attempts to access the account by guessing login credentials or using a brute-force attack, and selects an image that fits one of the user’s “no pass” categories, Confident KillSwitch can automatically alert the business or account owner,lock all access to the account, or present increasingly difficult ImageShield challenges while gathering important information including the IP address, geographic location and behavioral biometrics of the would-be attacker. Confident KillSwitch can positively distinguish between a legitimate user who may have mistakenly identified one wrong image and a fraudulent authentication attempt. With each additional authentication attempt, it actually makes it less likely for an attacker to be able to correctly guess the secret and more likely for the attacker to be caught.