Wibu-Systems Blog

Is strong authentication the killer app of the future?

Posted by John Browne on Mar 19, 2012 3:12:00 PM

Banks have been protecting money for years to avoid this:

Butch and Sundance had the right idea; they just went about it wrong. You can't blow the door off a bank vault with a few sticks of dynamite anymore, but you can apparently get the money out through a less noisy approach.

These days money of course is just bits and bytes and needs to be protected like any other bits and bytes. The banks have arguably done a much better job with their vaults and armored cars protecting the tree-derived variety than they have with the digital variety, since the big heists these days come via the Internet rather than a tunnel under the street.

The vaults of the future that protect bits and bytes--whether they represent money or something else like intellectual property--will be as ubiquitous as passwords are today. The familiar user name/password combination of today is like the old-fashioned skeleton key: it creates a sense of security, but it's not very strong security. Today no one would protect anything valuable with a lock that relied on a skeleton key, and in the future strong authentication will have long-since left the user name/password combo in the dust of antiquity.

One fundamental problem with user name/password is that it represents only one-factor authentication (in this case, something you know--that is, your password). Authentication that relies on a single factor is easy to break or steal: your car and house keys represent a single-factor authentication scheme and if someone grabs your keys they can steal your stuff. And as more seniors move to Internet banking, expect phishing and fraud to get worse before it gets better.

To get strong authentication, you need at least two factors (the Holy Grail of strong security is three-factor authentication: something you know, something you have, and something you do). CodeMeter can provide very strong two-factor authentication in the case of web access to sensitive data or web applications (like banking) via our CodeMeter Identity product.

CodeMeter CmStick/C for compactTo the standard challenge response paradigm of a user name/password, CodeMeter Identity adds some crypto mojo that confirms to the server that it's actually talking to who it thinks it's talking to, not some impostor. Since there is some server-side code, it's virtually impossible to crack unless someone can get access to the server itself. And the client-side components can reside either in software like or even in a CmStick for maximum security and portability.

I really believe that we will carry these personal security devices in the not-too-distant future just like we carry around our smart phones and car keys today. The same device, of course, can not only protect the access to websites but also SaaS software and on-premise applications as well. Now if we could only get those jetpacks we were promised!

Topics: CodeMeter, Copy Protection, dongles, Uncategorized