Haventec makes the claim to be the only true password alternative on the market. Yet literally dozens of companies claim to do away with passwords. Is Haventec unique? Are these other technologies making false claims? Also in this article is brief comparisons on competing technologies such as:
- Nok Nok
- Token One
- Others as they emerge
Definition: What is a true password alternative or replacement?
For a technology to be a true password alternative or replacement it must:
- Replace and render unnecessary ANY password storage on the server side for use at any time with any customer. If the enterprise needs to continue to store passwords for any group of customer for any platform or device then the technology cannot be said to be a true replacement.
- Must be useable for every user for every service on every platform or device and with any application. If the technology will not work for every customer that uses a service then it becomes a partial solution and the storage of passwords become an inevitability and a continuing security exposure vector.
- It must NOT be dependant on the user mandatorily having access to a second device such as a mobile phone for everyday use. All too often identity vendors write off concerns about using phones as an integral part of an authentication service, however large segments of our society and worldwide users do not have mobile phones. Even the ones that do, do not necessarily have them with them all the time and frequently it is inappropriate to have an authentication application on a persons phone… for example when a business related service requires an application to be loaded but the phone being used is privately owned.
Before proceeding it should be noted that many of the following technologies are deemed as perfectly legitimate second factor partners so this analysis is designed to clarify Haventec’s clear advantage as the primary authentication technology for universal use.
The FIDO (“Fast IDentity Online") Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
Even though the term “getting rid of passwords" is used by many members and contributing technologies, none of the members have ever completely taken the plunge and done away with their password systems. While sectors of the industry have expanded on the use of passwords by using biometrics and or dongles, these alternative identity systems are universally used as augmentations to password systems. For example the credit card PIN system still rely’s on the user using a password to access their underlying bank account.
Nok Nok Labs develops software to enable strong authentication for consumer-facing mobile and web applications. The company has been a driving force in establishing authentication standards under the auspices of the FIDO Alliance. While some of their papers talk about non mobile phone dependant authentication, their main customer base and product specification requires the use of a smart phone application to enable authentication. This means that only a portion of the customers using the technology in any enterprise will not require or be dependant on access to their services via password use in the event they do not have a mobile phone, do not have ready access to a phone or do not want to load and application on their phone. The net result is that having Nok Nok software as a primary enterprise identity solution WILL NOT allow the removal of the server side password store.
Token One is an intriguing One Time Pad cypher system that has the advantage of allowing the user to enter a short single use code that changes every time the user logs on. It does this by co-relating a secret PIN number to a matrix of changing related Letters where the user types in the related letter and never actually types in the corresponding PIN. It's quite powerful. In fact the original patent for the technology was written by Haventec co-founder Ric Richardson. The technology has two hurdles to becoming a universal password replacement.
- The technology currently relies on the user installing and running an app on their smart phone. As explained above this is a significant limitation in becoming a universal password replacement.
- While simple for a technically savvy user, the concept is not familiar or self evident for a non technical user and will require inordinate levels of education and customer support. The company does not cite any instances of universal relacement of passwords by their system.
In the above example the PIN the user knows has a 3 in the third position, but the user types in a “C" to the web site.
Ping! while touting a password replacement positions itself as sitting over existing identity and authentication systems while offering simplified mobile authentication as a surrogate for existing logons. But note that the password field is still required in the screen below. In real use, the Ping! app is pitched as a second factor or as a non primary convenince.
Screen grab from PING! web site
If you would like to see analysis of other authentication technology or have additional information to clarify or explain the above analysis please feel free t make comments below.
Note: comments are moderated so please be considerate and professional in your opinion. Thank you.