Scrap that vulnerable password database as CertiVox open sources “Chip” & PIN browser-based security
Multi-factor authentication based on two-factor Chip and PIN principles has reached the open source market with the release of the M-Pin Strong Authentication System from CertiVox.
The company claims that this could reduce the cost of cloud and mobile authentication costs by 93 percent, open up strong authentication to SMBs, and rid the world of the curse of usernames and passwords forever. Distributor Parallels has already signed up with CertiVox and started using the technology in its own services offerings.
Open for business
M-Pin is the first open source implementation of elliptic curve cryptography (ECC) which promises security equivalent to a 3072-bit RSA public key system from a 256-bit ECC public key. It works like two-factor authentication in ATM cash dispensers, where the magnetic strip of a payment card is replaced by an embedded “physical” token in the browser and requires a memorised PIN (personal identification number) to complete a transaction.
The PIN and browser token combine within the local computing device to generate a unique digital “identity” that triggers the key agreement protocol and securely certifies the user’s validity. In short, service providers and developers can trash their username/password databases and banish digital smash and grab attacks forever.
The free CertiVox implementation comprises a Linux-based M-Pin Authentication Server, HTML5 web and M-Pin Relying Party Libraries for developers. Brian Spector, CEO of CertiVox, claimed this is all that’s needed to integrate M-Pin with any web application, Single Sign On (SSO) or Identity Management (IdM) system in less than an hour.
“M-Pin is a game changer in the authentication industry, a true alternative to username/password authentication that scales for the web,” Spector said. “M-Pin is an open source multi-factor authentication system that can be deployed in minutes at a fraction of the cost of existing solutions while offering a degree of security greater than many existing solutions that cost an order of magnitude more.”
Installation is achieved by connecting to an M-Pin Server instance using the M-Pin C Client Library to embed the protocol in any software application, and enables multiple factors of authentication to be used, such as biometrics. Its browser-base also means it is suitable for any device with a web interface.
Javvad Malik, senior analyst at 451 Group, commented, “With the removal of usernames and passwords, and replacing these with an ATM machine style PIN for HTML browsers, CertiVox brings strong authentication while simplifying the user interface. With its open source M-Pin Strong Authentication Server, we are encouraged to see CertiVox placing its trust in the developer community, seeking to address a pertinent security challenge.”
“CertiVox M-Pin technology enables Parallels’ service providers to offer secure multi-factor authentication and credential protection for cloud service offerings,” said Alex Danyluk, senior director for automation marketing at Parallels. “This helps enable SMBs to have secure access to a wide variety of APS [Application Packaging Standard] enabled ISVs.”