Sergio Demian LernerThe PassKey logins to your favourite websites using the stored passwords (that are never revealed to your browser computer, just to the website), achieving an unprecedented level of security without requiring any change in the Internet authentication infrastructure. We have prototypes already working for the major websites. See it in action:
Traditional password managers are designed to be used only on trustworthy computers. You cannot securely plug your pendrive containing your password list on a Cybercafe computer, without risking your digital identity and digitally controlled assets. Sometimes, you should assume your password has been compromised as soon as you type it on an untrusted keyboard.
The following diagram shows the inner workings of the PassKey and the login and browsing flowchart:
The Identiva PassKey is the only device that allows you to log in using any untrusted computer with high security and no risk. And also, it is compatible with any password-enabled website in the world. The innovations are protected by patents pending in US and Europe.
The proof-of-concept hardware/software platform used for testing was a wifi-enabled smart-watch running the Android operating system and adapted for being able to simultaneously run a GNU/Linux distribution. The software was implemented in Python. For the production device, we will target a single-purpose security-hardened hardware platform such as a secure micontroller, which will just require adding a display, buttons and the battery. Also the PassKey supports password backups in the cloud. The requirements for the cloud servers are simple to met since the password backup service can be implemented on all of the standard web development languages, platforms and frameworks. We plan to make all the software open source for ease of auditing.
The Identiva PassKey wireless device concept was fully implemented and tested using a smart-watch platform. Nevertheless we plan to increase its security by using a single-purpose low-cost, power-efficient computing platform, such as one based on a secure microcontroller or IoT board. The platform must have a Wi-fi and/or blue-tooth connectivity, an LCD display, a battery and a simple user interface having two confirmation buttons (see below)
The core computing operations performed by the device are storing a password database, opening secure connections to external websites (or the computer) using the SSL/TLS protocol suite, verifying authentication certificates, and sending passwords in encrypted form. Also the PassKey is able to intercept the traffic between the untrusted computer and the website and provide the authentication tokens when needed, without disclosing them. Last, the PassKey can offload downloading or uploading large files to the untrusted computer without disclosing sensitive information, to preserve the device battery life. These operations are performed by a single software component that resides in the PassKey. On the computer side, the PassKey requires a simple two-step configuration process that does not require administrative privileges and involves configuring the PassKey as an Internet proxy and installing a root certificate provided by the PassKey. An optional user-mode software component can be run on the untrusted computer to multiplex Internet streams and reduce the CPU-load of the PassKey, increasing its battery lifetime.
For secure-critical operations, such as changing a password, updating your personal data or making a bank transaction, you’ll be able to configure the PassKey to require specific confirmations. Your can use your PassKey today, because it is compatible with all your favorite websites like no other authentication system. Having a simple user interface with a single confirmation button makes the PassKey login process secure, easy and natural.
The Passkey functionality can be implemented on different kind of gadgets such as a Smart-watch, augmented-reality glasses or as a key-chain accessory running a trusted embedded platform. The last, being the most secure, is the one we will plan to develop.
Every Internet user in the world is a potential Identiva user: children, teens, adults, professionals, security personnel, and elderly: no one wants their digital persona to be hijacked and abused. The more the technology becomes Internet-enabled and pervasive, the harder the manual handing of passwords becomes.
This hack-a-day project entry is licensed under the "Just Makers License For electronic devices, version 0.9" with the additional exceptions and provisions:
1. We remove the restrictions regarding any semiconductor if it is a silicon ICs having a microprocessor.
2. This license remains valid until an updated license with higher version is published by us in the website IdentivaSecurity.com or by other valid notification means.
JUST MAKERS LICENSE For electronic devices, version 0.9
Date: 08-20-2014
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.This license grants each “maker” a non-commercial license to make and personally use an electronic device implementing the work of authorship and invention(s) being licensed, where a “maker” is defined as a natural person that builds every of such devices by hand soldering to a PCB (etched copper substrate) all semiconductors components of the electronic device and all passive components, and where there is at least one of such components.
This license also grants to anyone (a "seller") a commercial license to distribute such components if they are not soldered.
This license allows making reproductions and derivative works of authorship such as source code, and their distribution under this same license provided that attribution of original authors is preserved, and any modification is identified, and all source code is included together with this license. This license encourages the advance of technology and benefit of makers but at the same time respects the creative efforts of all the inventors, thus if any restrictions from patent protection is applicable at any time, they apply except for sellers and makers to whom the patent right holders covenants not to enforce any such patents against them.
ALL UNDER LICENSE IS IN THE HOPE THAT IT WILL BE USEFUL, BUT WITHOUT ANY WARRANTY. IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF ANYTHING IS WITH THE LICENSEE. SHOULD ANYTHING PROVE DEFECTIVE, THE LICENSEE ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW THE LICENSOR WILL BE LIABLE FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY THE LICENSEE OR THIRD PARTIES OR A FAILURE TO OPERATE), EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.