Bypass the browser. You cannot trust it. This is the advice of a SaaS-based cloud authentication service, which claims it can make your existing login (or open-id) process 10 times stronger and more secure using multi-factor authentication. Plus, it's fully PCI-DSS complaint.
PalmTree technologies offers a cloud authentication ‘mashup’ service called LiveEnsure which allows developers to access a remote API in real time and authenticate a user using multiple identity factors including the device, site, session (and user).
This transaction is secured outside the browser in what it calls the ‘smart channel’ using a patent-pending process called Digimetrics.
“This is a breakthrough in authentication algorithms where multiple identity factors are synthesized versus serialized to construct a unique but anonymous one-time identity signature (OTIS),” said PalmTree.
Built on the Java platform, Palmtree states that:
• No private data recorded or transmitted
• Nothing shared or federated
• Nothing to remember or recognize
• Nothing to carry or download
The service API works with any server language and can be integrated into popular platforms such as Drupal, Joomla, WordPress and Sharepoint since no software is needed to proceed including cookies or tokens.
They were recent finalists in the Global Security Challenge, eventually won by CloudSwitch; a company we have covered before in this blog.
We contacted Christian Hessler, CTO, for more information about this technology, which is currently being deployed by various Mobile Wallet solutions, including PayToo Mobile, which has just launched in 35k+ stores in the U.S.
He gave us some great feedback. Here is the unabridged Q & A:
Q & A with Christian Hessler, LiveEnsure CTO
From your perspective, what does CloudSwitch do better than you that allowed it to win the global security challenge in 2010? They appear be more of a cloud appliance vendor which offers bridges between on-premise data centers and publicly provisioned clouds. Are they a competitor?
No, Cloudswitch is not a competitor. It was a completely different product, in the same general category of "cloud security". They deal with virtual machines and encryption, etc.
You site states the Digimetrics technology is patent-pending in 150 countries. When will these patents pass approximately? Any further updates on this?'
Patents are always pending. We are focusing on areas where we do the most business (for cost reasons) and have some new patents being filed this year. The PCT process is long and expensive, as I am sure you know - so stay tuned.
Besides your Digimetrics technology could you explain how you have set up your Data Centers? For instance, do you run any virtualization software in-house which helps drive the SmartAgent process? Do you consume public clouds from Amazon? I am curious as to how you have set up your physical infrastructure including servers, load balancers, firewalls etc.
We are using Amazon's EC2 cloud to deploy in the US and EU at the moment. The infrastructure architecture is proprietary, but it is a fully load balanced, monitored, redundant and HA design. Our model utilizes a Google-like in-memory model for speed, performance and resilience.
Are you in anyway participating in the OATH initiative. If not, why not?
Yes, we are an OATH member. We stay in frequent contact with this group to keep our products aligned with their objectives. We are also affiliated with OWASP and several other groups/initiatives, both open and vendor-based.
From what I can make out the smart channel signature is disposable and no customer data is stored on you servers once the pass or fail signal is provided. Is this correct? Do you keep zero record of the details of the transaction once the user has been authenticated (or denied)?
No, we keep a record of history by session ID, which is a reference to a particular session where a user/device/site and session were authenticated in the context of a Digimetric™ signature. Consumers (our customers) have secure access to their authentication history by session token - which THEY must associate to actually user accounts (we don't keep that data for privacy reasons). We also keep the "impulse response" of the user device in our database after each user registration (unconnected to the real user account in any way - which we don't store) so that when the real user/site/device and session come together, they can be mutually authenticated. Each member of the model (user, site, us) has 1/3 of the puzzle - which is a theoretical advancement beyond traditional 50/50 shared-secret authentication, and the basis for Digimetrics™. Only when all components are in place does authentication commence. Possessing 1/3 or 2/3 of the elements will never be enough to reproduce the whole.
When will BuyEnsure and iPadEnsure be released (your e-commerce products)? Why is it necessary to market these products separately from your core SmartChannel angle? Is this simply a clever marketing angle?
No, it's not a clever marketing angle. The iPhone and iPad versions are available now - and are the core LiveEnsure™ libraries for embedding in apps which obviously cannot dynamically "launch" active content, as you can on the desktop (i.e. Java, ActiveX, etc). All other mobile functionality is server side, as it is on the full agent. We also have J2ME (java) and native libraries for creating your own mobile agent. We are releasing Microsoft-specific agents (Windows7, Sharepoint, RD Gateway) and Android later in 2011.
You appear to have a couple of competitors in this space including One Login and Arcot. One-login for instance offers a Yubico USB-key. I realize your site specifically highlights the benefits of a being true cloud solution with no possibility of stolen dongles etc. but could you highlight your stance to your closest competitors?
All of our processing is 100% bespoke and disposable, leaving nothing to reuse or predict on either side. We consider the site/app and the user as peers - i.e. they are of the same trust level for mutual authentication. This eliminates the common imbalance of too much information on the site side and too little on the user. LiveEnsure™ synthesizes multiple factors (can be more then 2, as in 2FA) into a one-time identity signature that is used to validate the authentication "context" of user, site device and session. We also support any and all 3rd party factors (like exiting tokens, passwords, keys, PIN#s, OTP's, etc) in the Digimetric™ mix.
The secure communication happens "outside the browser or app" communication channel, in a separate, triangulated path called the SmartChannel™ that does not rely on the browser cookie, SSL key or socket. The channel steps outside the browser and communicates directly with the LiveEnsure™ cloud, thus avoiding trojans, men in the middle and men in the browser. This "air gapped" model affords the cloud to see things from the user and the site's perspective, guaranteeing validity from both perspectives. In addition, unlike traditional approaches, LiveEnsure™ never sends "key-value" pairs (or questions/answers) together over the same channel, let alone the main web channel. LiveEnsure™ agent and cloud privately and simultaneously computes the Digimetric™ signature and the only thing that goes over the smart channel are do these disposable (one-time) signatures match. Nothing to capture, nothing to reuse or predict.