Arcot WebFort and ArcotID for Strong Authentication
Current Threat: Weak username/passwords are easily stolen and/or phished, do not protect the identity of users, or verify the identity of each party involved in an online communications.
Scenario: Arcot developed the technology originally to provide an alternative to existing difficult to deploy, expensive, hardware-based PKI (public key infrastructure) solutions that were not practical for protecting confidential consumer-based internet activity like banking or eCommerce.
Technology: The technology is strong, two-factor authentication. It is 100% software, eliminating the need for hardware tokens, smart cards, or grid pads. It combines the strength of PKI with the simplicity of a password.
Tomorrow's Technology Today: Arcot WebFort is a software-only, two-factor, strong authentication solution that prevents identity fraud by protecting and verifying users’ identity. WebFort allows organizations to add strong, two-factor authentication to their consumer- or enterprise portals, without changing their users' login process. To a user, the login process looks the same as it uses his same username/password. Behind the scenes, however, the strength of PKI protects and verifies the user’s identity from identity theft and fraud. WebFort is the first consumer-friendly strong authentication product on the market; its software form-factor makes it easy to distribute and manage. It also integrates with current applications and processes, protecting existing infrastructure investments, eliminating the need for costly operational changes.
How it Works There are two components to WebFort—the WebFort authentication server, and the ArcotID.
WebFort Authentication Server - WebFort eliminates the trauma of past PKI deployments by managing the installation of all the underlying components of PKI. There are no additional elements of a PKI infrastructure to install or deploy—WebFort includes everything the organization needs. WebFort provides the lowest cost of ownership of any two-factor authentication solution on the market today by eliminating the need to purchase, distribute, and manage expensive tokens, cards and card readers.
The ArcotID is the only “Software Smart Card” on the market today. The user’s password is the first factor, “something you know” and the ArcotID is the second factor, “something you have”. The ArcotID is available as a Flash client, Java client, or installed on a user’s PC, PDA, or smart phone. The ArcotID combines the protection for digital IDs like a hardware smart card with the lower cost and simplicity of a software solution. The ArcotID features an easy-to-use and familiar username/ password user interface. It integrates quickly with existing infrastructures with support for standards such as RADIUS-based OTP, SAML, MS CSP and PKCS#11.
Unlike traditional software key containers, the ArcotID resists brute-force attacks using patented “Cryptographic Camouflage” technology to hide the private key from would-be attackers. Cryptographic Camouflage encrypts the private key based on the user’s PIN with standard encryption algorithms, but using the patented Arcot process. The effect of this process is that decryption (e.g., by a hacker trying to uncover the private key used in PKI), even using an incorrect PIN, will always produce a result that meets the specific, particular and well documented characteristics of a private key. Keys produced as result of using an invalid PIN meet all the characteristics of a valid key, so they can be functionally used to encrypt or “sign” a challenge received from the Arcot WebFort server as a part of the authentication process. The hacker will have three attempts to ‘sign’ the WebFort challenge before being locked out. The ArcotID does not store the user’s password, nor does it transmit the password over the wire.
What Makes it Better?
Technologies that are losing their edge: Several traditional strong authentication technologies, including One-time password (OTP) tokens and grid pads, are losing ground to WebFort for the following reasons:
Lower cost of ownership: It is significantly less expensive to purchase, deploy, and manage software-only solution vs. hardware tokens or grid pads. Consumer-facing organizations need to have a cost-effective method to protect the identities of hundreds of thousands or millions of users, and OTP tokens are prohibitively expensive.
Ease of use: With WebFort, there are no changes to user login experience, no new behaviors to learn, no calls to the help desk, no loss of customer trust. Other forms of strong authentication require changes to user behavior, and can incur significant operational costs related to educating users
Future business services/‘Green’ initiatives: OTP tokens and grid pads do not support future business services like digital signing of electronic documents. Adobe embedded Arcot technology into Adobe Reader and Acrobat, meaning that any organization wishing to enable digital signing of PDFs does not have to worry about distributing a client to users—the same ArcotID used for strong authentication can be used for digital signing, as well as authenticated eStatements. eStatements eliminate the cost and waste of paper statements, and enable organizations such as banks/brokerages to reduce their effect on the environment.
Prevents Man-in-the-Middle attacks, keeping remote access safe from phishers and pharmers. The ArcotID authenticates only with the domain that issued it, automatically preventing attackers from fooling users into disclosing their login credentials, something that OTP tokens and grid pads cannot prevent.
Regulatory compliance: Enables organizations to meet regulatory requirements such as FFIEC, SOX, HIPAA, SAFE and IdenTrust.
Deployment Options – Organizations have complete flexibility for how to deploy the ArcotID file. They can load it on to a PC, BlackBerry, or mobile phone, and even lock it to that device. Alternatively, they can install it on a USB flash drive for portability, or have users download it for roaming access.
Deploy PKI-strength authentication that is invisible to users - Users never have to know that they have been upgraded to PKI-strength authentication. They keep the same username and password and WebFort adds PKI invisibly.
Protects existing infrastructure investment - WebFort integrates with existing access management and other security products, eliminating the need to upgrade other parts of a network to add strong authentication.
Conclusion: Arcot’s strong authentication prevents identity fraud by protecting and verifying users’ identity anytime, anywhere. Users benefit by having the same username/password login experience, but with the addition of PKI-based strong authentication ‘behind the scenes’. Users do not have to carry around OTP tokens or grid pads, or modify their behavior in any way.
Arcot Systems Inc.
455 West Maude Avenue #210
Sunnyvale, CA 94085
Tel: +1 408 969-6100