turn that business away.
Yudkin, Confident’s chief technology officer, says the company’s new KillSwitch technology now offers a way for network managers to tell the difference between the log-in failures of an authorized user and an automated system repeatedly trying randomly generated passwords.
“With this technology, we’re trying to change the paradigm for brute force attacks,” Yudkin says.
The KillSwitch technology really just adds a new twist to the company’s core image-based verification system. When a user logs onto a secure website using Confident’s technology, he chooses a sequence of encrypted images to log on with. The images vary with each login, but the user logs in by selecting the images that fit previously selected categories. For example, using the car, airplane, fruit categories mentioned above, the user might choose a Porsche, Boeing 747, and apple for a login sequence.
With the KillSwitch feature enabled, the user is asked during the initial registration process to choose an additional couple of image categories that he will never use—for example, a flower and dog. So if a hacker or automated program chooses a dog or some other “no pass” category in a login attempt, the KillSwitch system can automatically alert the authorized user or the website’s network administrator.
It’s possible that an account user might mistakenly try one of the “no pass” images to log on, “but the likelihood of you selecting two KillSwitch images is quite low,” Yudkin says. It becomes even more obvious when “no pass” images are repeatedly selected in multiple login attempts.
The company says its technology can lock all access to the online account, or keep the would-be attacker online to collect information about his IP address, geographical location, and behavioral characteristics.
“If a company has good security, it gives them more time to respond to an attack,” Yudkin says.
Confident, however, faces a pretty stiff headwind in a crowded market for network security, according to Gene Schultz, a well-known network and computer security expert who is chief technology officer for Emagined Security, a consulting firm in San Carlos, CA.
“Despite the apparent goodness of Confident’s technology, I worry that organizations will not use it because they are (lamentably) so password-dependent,” Schultz told me by e-mail last night. “Many great authentication solutions have in the past fallen by the wayside because of widespread acceptance of and dependence on passwords. Additionally, I worry that have extra steps involving user tasks may be necessary if legitimate access is to be allowed, but illegitimate access is to be denied. Finally, I worry that if this technology were to be widely deployed, the black hat community would soon find a way to defeat it, as historically has been true.”
