PassMark

The PassMark platform provides two-way authentication services specifically for login-based Web applications. It is targeted primarily to Bank and/or E-commerce sites, and is billed as a mechanism to prevent phishing schemes by allowing the end user to verify that the site they have connected to (and that is asking them for their credentials) is the actual site and not a fake, before providing the site with any confidential information. Additionally, the platform provides hardware-based two-factor authentication so that the online site, in turn, can be assured of the identity of the user.

The PassMark authentication process works by adding a step to the standard login process employed by most Web login forms. Typically, a user is asked to supply both their login ID and their password simultaneously to the site, and authentication is processed based on both entries. With PassMark, the user first supplies only their user ID. Once the user ID is received, the site looks up the user's account and verifies that it is truly that user (or at least is potentially that user) based on stored metrics of the user's PC itself; i.e., when the user initially registers with the site, the platform notes and stores unique identifiying characteristics of the user's access computer itself, such as HTTP header, software configurations, hardware settings, IP address, and geographic location. It can then use these metrics to pre-identify the user before allowing them to continue with the authentication process.

Once the user's machine has been recognized and verified, the platform sends the user a secret image--a small graphic that is selected by the user when they registered with the site--and asks the user to verify this image before supplying their password. The graphic that is displayed, as well as a custom message describing the graphic, are both selected by the user during their registration process, or changed at any time later by accessing their account (in the same manner a user might change their password from time to time). The graphic can be a custom graphic uploaded by the user or simply selected from a predefined library of images provided with the product. The goal of the entire authentication process is two-way authentication: the hardware-based checks allow the user to identify themselves to the site based on more than just their id and password; while the image check allows the user to positively identify the site, which should be the only entity that knows the user's selected secret image. In the event that the user wishes to authenticate on a PC other than the one they initially registered with, they can utilize alternate forms of two-factor authentication provided by the platform, including cellphone or question and answer challenges (again, the user selects the questions and provides answers during the registration process).

Initially offered as a hardened, Linux-based appliance known as PassMark Vault (which is no longer offered), the PassMark platform is now offered in software form as a Java based application, with Java APIs and SOAP/XML APIs for integration with existing sites.

The PassMark platform is available now. Pricing is on an annual subscription and is based on the number of online banking users, starting around $1 per user/year with volume discounts available.

Contact PassMark security for further information.