The WiKID Strong Authentication Systems Overview


Published on

A high-level overview of the WiKID Strong Authentication System, a dual-source, software-based, two-factor authentication solution. WiKID uses public-key cryptography unlike most token systems and is therefore a secure, extensible replacement for hardware tokens.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The WiKID Strong Authentication Systems Overview

  1. 1. WiKID Systems, Inc. Nick Owen [email_address] 1375 Peachtree St Suite 600 Atlanta, GA. 30309 404-962-8983
  2. 2. WiKID Authentication System <ul><li>Unique two-factor authentication system with no hardware and no reader </li></ul><ul><li>Significantly reduces authentication costs while increasing security </li></ul><ul><li>Centralized control of enterprise authentication – even across the supply chain to vendors/consultants! </li></ul><ul><li>Automated initial validation – end-user self-service – easy to implement and maintain </li></ul><ul><li>Capable of session, host and transaction authentication </li></ul>Lower cost Ease of Use Secure Extensible
  3. 3. WiKID Key Differentiators <ul><li>Powerful Network Client API extends functionality </li></ul><ul><ul><li>Set up users via trusted AD credentials </li></ul></ul><ul><ul><li>Extensible to across enterprises </li></ul></ul><ul><ul><li>Unique Service-oriented API capabilities </li></ul></ul><ul><li>Multi-platform Token client support </li></ul><ul><ul><li>Blackberry, J2ME, Mac, Linux. Windows, PocketPC </li></ul></ul><ul><ul><li>Embeddable into 3 rd party software </li></ul></ul><ul><ul><li>No client hardware required </li></ul></ul><ul><ul><li>Multi-domain capable – Secure cross-enterprise authentication </li></ul></ul>
  4. 4. WiKID Architecture
  5. 5. Public key Public Key <ul><li>User Enters 12 digit code, sends Public Key </li></ul>1. 2. WiKID server sends configuration file and its Public Key 2. 3. Simple Initial Validation of Users 3. User creates PIN 4. Server sends registration code awaits validation Completed in less than 15 seconds 4. 5. User logs in using trusted credentials User enters registration code 6. Registration code sent to server and associated with key pair exchange 5. 6. If the Registration code is received from a trusted Network Client and matches the expected value, the device is automatically validated.
  6. 6. Secret key Public Key Certificates <ul><li>User selects domain & enters PIN. </li></ul>2. WiKID server decrypts PIN with Public Key and verifies. Returns Passcode. Internet Internet 3. User enters Username and Passcode. Typical Usage 4. Application requests verification. 5. WiKID Server Verifies Code. 6. User granted access. Average connection time of 4 seconds
  7. 7. Secret key Public Key Certificates <ul><li>User selects domain & enters PIN. </li></ul>2. WiKID server decrypts PIN with Public Key and verifies. Returns Passcode. 5. User enters Username and Passcode. Mutual Authentication 6. Banking Application requests verification. 7. WiKID Server Verifies Code. 8. User granted access. Average connection time of 4 seconds 3. Token client fetches and hashes SSL cert and compares 4. OTP and validated URL presented to user. Default browser launched to site.
  8. 8. Your Enterprise Vendor Your Employees Application You control user enrollment & provisioning Vendors use WiKID SSL objects for web-enabled apps If an employee leaves, disable their account If you switch vendors, invalidate their certificate Each vendor has their own Domain and Certificate from your server No hardware to distribute to non-employees Vendors/Contractor employees Application Simple Cross Enterprise Strong Authentication
  9. 9. Network Clients <ul><li>Languages </li></ul><ul><ul><li>C# dll, Java Component, PHP, Ruby, Python </li></ul></ul><ul><li>Implementations </li></ul><ul><ul><li>Radius, LDAP, Plone, TACACS+ </li></ul></ul>
  10. 10. Benefits <ul><li>Reduces costs while increasing security </li></ul><ul><li>Security professionals work on security, not logistics </li></ul><ul><li>Simple to implement and maintain </li></ul><ul><li>Extensible platform for the future – for e-commerce, supply chain, partners, independent contractors </li></ul><ul><li>The only strong authentication system capable of handling session, host/mutual and transaction authentication in a cryptographically secure manner </li></ul>
  11. 11. Security Features <ul><li>Request-response architecture: passcodes generated only upon receipt of valid request </li></ul><ul><li>Server-side Java – inherent security features </li></ul><ul><li>Strong 1024-bit RSA equivalent asymmetric encryption of all transactions </li></ul><ul><li>Certificate chaining for server-to-server authentication </li></ul><ul><li>Server-side PIN storage; Simple user disablement </li></ul><ul><li>PIN length, time outs, PIN and passcode attempts all Admin configurable </li></ul><ul><li>Mutual Authentication for HTTPS </li></ul><ul><li>Use a separate domain for transaction signing </li></ul>
  12. 12. Administration Features <ul><li>Web-based server management </li></ul><ul><li>RADIUS, LDAP and SSL-based API via Java Bean & COM object </li></ul><ul><li>Support now for all major platforms: J2ME, Blackberry, Palm, PocketPC, PC, J2SE (for Mac and Linux)‏ </li></ul><ul><li>Replication for fault-tolerance </li></ul><ul><li>Initial validation via NT/AD credentials (scripts provided)‏ </li></ul>
  13. 13. Secret key Public Key Certificates 1. User selects reset domain & enters PIN. 2. WiKID server decrypts PIN with public key and verifies. Returns Passcode. Internet Internet 3. WiKID Server pushes passcode to PDC as new password, flags for reset. LAN Password Reset 4. User logs in with username and passcode . 5. User granted access, prompted to change password.
  14. 14. Layered Authentication User/Session Authentication Host/Mutual Authentication Transaction Authentication/Signing A Cryptographically Secure Approach Layered Authentication
  15. 15. Thanks! Nick Owen [email_address] 404-879-5227 For additional information, please contact: