Confident Technologies Adds New Capabilities to Its Network Security Software
Curtis Staker and Roman Yudkin have been busy in the 16 months since they officially launched Confident Technologies of Solana Beach, CA—using salvaged computer security software originally developed by Portland, OR-based Vidoop. As I explained last year, the suburban San Diego company has developed an alternative to the security protocol that requires an online user to provide a username and password to log onto an Internet account. Confident instead uses an image-based verification system, so a registered user selects an easy-to-remember combination of images, such as car, airplane, and fruit.
After raising $1.8 million last year to acquire Vidoop’s assets, CEO Staker says the company raised an additional $2 million in February to help build out the business. Last month, Confident said it was extending its “multi-factor,” image-based verification system to smartphones and other mobile devices.
Today the company is unveiling “Confident KillSwitch,” an add-on image-based authentication technology that is intended to defend user accounts and websites from automated, “brute force” log-in attempts and broadly based, denial-of-service attacks.
Confident says more than half of the major data breaches in 2010 were due to malicious hackers using brute force software (which uses a dictionary database to repeatedly try different passwords) and by exploiting easily guessable passwords, according to a 2011 Data Breach Investigations report. The company also says more than 84 percent of 150 popular websites, including Amazon, eBay, and WordPress, set no limit on the number of failed login attempts.
Confident’s CEO says the reason many companies don’t limit login attempts is that many people can’t readily remember their own user names and passwords. So they keep trying until they get it right—and the companies operating such websites are reluctant to turn that business away.
Yudkin, Confident’s chief technology officer, says the company’s new KillSwitch technology now offers a way for network managers to tell the difference between the log-in failures of an authorized user and an automated system repeatedly trying randomly generated passwords.
“With this technology, we’re trying to change the paradigm for brute force attacks,” Yudkin says.
The KillSwitch technology really just adds a new twist to the company’s core image-based verification system. When a user logs onto a secure website using Confident’s technology, he chooses a sequence of encrypted images to log on with. The images vary with each login, but the user logs in by selecting the images that fit previously selected categories. For example, using the car, airplane, fruit categories mentioned above, the user might choose a Porsche, Boeing 747, and apple for a login sequence.
With the KillSwitch feature enabled, the user is asked during the initial registration process to choose an additional couple of image categories that he will never use—for example, a flower and dog. So if a hacker or automated program chooses a dog or some other “no pass” category in a login attempt, the KillSwitch system can automatically alert the authorized user or the website’s network administrator.
It’s possible that an account user might mistakenly try one of the “no pass” images to log on, “but the likelihood of you selecting two KillSwitch images is quite low,” Yudkin says. It becomes even more obvious when “no pass” images are repeatedly selected in multiple login attempts.
The company says its technology can lock all access to the online account, or keep the would-be attacker online to collect information about his IP address, geographical location, and behavioral characteristics.
“If a company has good security, it gives them more time to respond to an attack,” Yudkin says.
Confident, however, faces a pretty stiff headwind in a crowded market for network security, according to Gene Schultz, a well-known network and computer security expert who is chief technology officer for Emagined Security, a consulting firm in San Carlos, CA.
“Despite the apparent goodness of Confident’s technology, I worry that organizations will not use it because they are (lamentably) so password-dependent,” Schultz told me by e-mail last night. “Many great authentication solutions have in the past fallen by the wayside because of widespread acceptance of and dependence on passwords. Additionally, I worry that have extra steps involving user tasks may be necessary if legitimate access is to be allowed, but illegitimate access is to be denied. Finally, I worry that if this technology were to be widely deployed, the black hat community would soon find a way to defeat it, as historically has been true.”