Alternative to Passwords and PINs

SSSDR[16 SLIDES]

Contents

1. The Problem to be Addressed2. Elevator Points3. Proposed Solution: SSSDR4. SSSDR Logic & Client-Side Walk-Through5. Overview of Server-Side and Process Flow6. Business Modeling7. Online Demo of Prototype Information

(site and login info)

The Problem

• PINs are simplistic, and easy to steal (or Figure Out):• At ATM’s• Supermarket Checkouts• Susceptible to Hackers when used online• Don’t Really Validate Users, and can’t be

used for digital signatures

• Passwords are • Complicated and difficult for People to Remember• Can be viewed when typed in• Difficult to enter on virtual keyboards (e.g. smart phones)

• PINs and Passwords are not Interchangeable• Logins require adherence to complexity rules—PIN’s with only 4 numbers can’t be used

as passwords (nor should they be)• PINs can only use numbers, and are usually entered in plain view

SSSDR – Essential PointsPractical Points: Three to Eight mouse clicks or Finger

Touches, in plain view Much more difficult for diligent

observers to figure out or steal even when it’s directly observed while entered

Based on simple (small) technology: A few thousand bytes of code Can be embedded virtually anywhere

Can Replace Conventional : Computer Passwords ATM PIN’s Credit Card Authorizations Digital Signatures

No Hidden or Masked Input Simple Enough for Children to Use

Business Points Can Be Licensed as IP, or Can

be Hub in Identity Verification Company

Fairly Robust Market Base Government Applications Terminals can be easily retro-

fitted ATM’s can adopt via software updates

Can be used on any color touch screen, or on non-touch screens via keyboard input

The SSSDRThere are 3 Main components...

Component 2

The 8 Jewels:Component 1

The 4 Jewel Attributes:1. Position on the Ring (1-8)2. Color of the Jewel3. Letter (A-H)4. Icon Shape

Component 3

The Account ID.In most practices it is pre-populated and hidden, such as from:

• Credit Card Swipe• Login Account• From a Cell Phone

Walk ThroughWith Each Mouse Click, the SSSDR Assembles Each of the 8 jewels with RANDOM attributes. Each Ring, therefore, has 8 Randomly assembled jewels making each instance of the ring very unique.

For this Demo, only 4 clicks are used. The SSSDR can be set to use 2 – 8 Clicks, based on the Application and Context needs. For example, to open a document not classified on a validated previous login, perhaps only 2 or 3 clicks. For a Credit Card transaction, perhaps 6 or 8 clicks. It can be set by applications at runtime.

Initial Load,First Click

Second Click... Third Click... Fourth Click...

Where a User Fails at an attempt to validate, an extra click is added to the retry. After the second attempt at the 8-click level, the session is denied. That means that the lower the intended click-strength, the more tries a user may get (customizable); the higher the intended strength, the fewer tries.

Walk-Through, Part 2

As a User clicks (or touches, presses keypad numbers, or even speaks the jewel number), onlookers may see (or hear) which jewel was selected, but not know why it was selected (The number? The shape? The Letter? The Color?)

Since each ring is randomly assembled at each load and click, a given “Ring Face” might not be reproduced for thousands of draws.

Pass KeysUsers’ Passkeys are assigned (or chosen) as 8-click Sequences based on any attribute, plus a few that can change:

In addition to these, there are “Wild Card” Clicks.(Optional, but only one may be used in a Pass Key)

Any Random Click• Any Odd Number• Any Even Number• Day of Week Number (Sunday = 1, Saturday = 7)

Sample Pass Keys:

Pass Keys are NOT Sent Over the Net:• What gets sent is a digital snapshot of

the Ring Sequence Used, and which Jewels the User selected.

• A Digital Snapshot of the Ring Sequence Used• The Jewels the User Selected• (The Click-Length is Derived from the Ring Sequence Snapshot Sent)• The Merchant ID and Terminal ID (more about that on next slide)

This means that even if unencrypted, an interceptor or sniffer would only get the same information he would get if he simply watched the user validate.

Over time, an interceptor could derive the Pass Key, however, the use of Wild Cards and the changing of Pass Keys would make this more difficult.

The Server Role• Merchants are assigned Merchant ID’s, and each individual device used by the

Merchant is also assigned a Terminal ID, A Terminal Code, and a “Green Light” Code.

• The Validation Server, once having validated a User’s Pass Key:

Validates the Merchant ID (internally) Validates the Terminal ID (internally) Validates the Terminal Code (internally) Responds with that terminal’s unique “Green Light” code, plus a transaction number, and records the

transaction The User Can get a receipt containing the financial details, and the Merchant ID, and the Terminal ID (but not

the Terminal Code) NOTE THAT: once the “Green Light” code is received, it is up to the Merchant and his existing financial

partners and systems to process and track financial transactions.

Once the Terminal receives the “Green Light” code, it authorizes the completion of the transaction, which could be:

A Financial Transaction The Granting of Access to Information The Authorization of Features or Functionality

ATM, Credit Card, Digital Signature, Web Site, Desktop Computer, Cell Phone, Tablet, etc.

Information does not leave Server Side

Encrypted Digital Snapshot of what an onlooker would see

High-Level Flow:

Terminal

SSSDR Entry

Ring Snapshot, Jewels Clicked

USER Identity Validated Internally

Merchant & Terminal Validated

Terminal “Green Light” Code Algorithm (Specific for that terminal, at that time) determined.

“Green Light” Code

“Green Light” Code Validated

by Terminal

1

2

3Process Transaction as Currently Processed

Today

4

User Account ID Key, Merchant ID, Terminal ID

.

Examples of Merchants and Terminals• A Merchant is anyone who uses the SSSDR for Validation.

Retailo Gas Station Pump, o ATMo Registero Vending Machine

Technical Deviceso Cell Phoneo Tableto Desktop Computer

Physical Security Deviceso Secure Entry Devices, such as door locks to computer roomso Safe Combinations (in which case the server logic resides inside the safe?)

Software o System Logino Digital Signatureso Application Registration/Feature Unlocks

Websites

Safety “Panic Key”

For added physical safety, a “Panic Key” can also be issued which is the same as the Pass Key, except for the first click.

If, for example, a User is forced under physical duress to enter a Pass Key (e.g., at an ATM), he can enter the Panic Key instead.

If the Panic Key is validated, a “Green Light” code will be returned and no appearance is given of the Panic Code being used, but the authorities can be alerted based on the Merchant ID and Terminal Code. Terminal location information can be obtained from data records maintained internally by the server.

What Can Be Done With This?• Embed it on a Smart Credit Card

• Makes Stolen Cards virtually unusable on the Internet, in the Mall, at the Gas Station—even if it’s never reported stolen because every time that card is used, the User will enter in his or her SSSDR Password.

• Modify ATM’s to allow users to press buttons corresponding to jewels – Requires virtually no hardware modification. Can be used at Point of Sale devices (e.g., at the grocery store check-out device).

• Replace the Ctrl+Alt+Del Login mechanism on Computers.• Perfect for Tablet PC’s – Use the Digital Pen to Enter it• Perfect for Crowded Public Areas – Stop hiding fingers when logging in

on the airplane• Embed User Passwords into Active Directory to control logon access to

the Internal Network

• Use it to verify Identify for Digital Signatures

• Security Badges can utilize them for better access control to facilities. They can also replace combination locks on secure doors

• Add-on to any smart phone or tablet. Particularly useful for slates, since it requires no keyboard or keypad.

Through User agreements, this can be treated as a

digital signature for credit card transactions (the

“Green Light” code acts as a digital signature). This would be easier to store than digital signatures

from a sign pad.

Business Modeling - 11. License the Technology and allow others to brand it

Companies own the license to do as they please with it, end-to-end including the back-end server process, and pay royalties for use

Potential Buyers: Google Microsoft Adobe Amazon PayPal Government Credit Card / Financial

Upside: Lower Initial Investment IP-only transaction, so no infrastructure build-out Much Shorter Time-To-Market Much less Risk Exposure Could still include hardware tech for embedded chips, etc.

Downside: Lower revenue, less profit No real scale of penetration Non-tangible IP-only valuations and revenue are very

risky, difficult and costly to maintain

Business Modeling - 2

People register with the SSSDR Firm, and all logins are sent to the firm for validation

People have a unified password; one SSSDR Password (which can be changed at any time) for their work LAN’s, Credit Cards, Digital Signatures, etc..

To be effective (and thereby minimize risk exposure), Users would need to register in person, with proper ID (banks? Post Office? This could be a large infrastructure rollout)

Upside: Much larger revenue potential Very Large Penetration potential Not an IP-Only Valuation Users can benefit from:

• Holistic, single-source tracking of all authorizations across all vendors and merchants

• Only one Pass Key to remember, and changes to Pass Keys are universal and instant

Downside: Huge Upfront Investment (infrastructure, etc.) Much longer Time-to-Market Significantly higher Risk Exposure

2. Become a National Identity Verification Firm

Online Demo• A Basic online demo is available at:

http://qazz.co/

• Some notes about the demo:• Scripts must be enabled

• This just demos the basic User Experience, not the whole validation system

• There is an optional textbox to hand-enter a User Account or ID (which is not used in this demo), but normally this would be populated by the terminal:

• Credit Card Swipe

• Derived from Computer Login ID

• Cell Phone Information (if used on a cell phone)

• Etc.

• This demo defaults to 4-clicks, but you can set it from 2 - 8

• There is no Server Validation (it’s just a mock validation)

Using the Demo Prototype

Click “Show Notes” to reveal the password

Change Click Strength

Here.

An interesting Demo is to enter the pass key while others are watching, and see how long it takes them to crack just a 2-click Pass Key. Two Clicks are not terribly difficult to crack, but compare to cracking a 2-digit PIN when entered in plain view...