You are on page 1of 30

Introduction to

AutoPassword
Dynamic Interactive Smart Authentication

Kang, BongHo
eSTORM Co., Ltd. / DualAuth LLC.
April 05, 2018
Automatically generates and enters passwords
Contents RFD
AutoPassword™

• Introduction to eSTORM
• Static memorized password issue
• AutoPassword overview
• AutoPassword basic architecture
• AutoPassword usage and use cases
Dynamic Interactive Smart Authentication
• AutoPassword disruptive features
DualAuth • AutoPassword integration
AutoPassword.com • AutoPassword references and partners
• Contact

eSTORM, All rights reserved. 2 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
eSTORM Introduction RFD
AutoPassword™
Helping People Do the Right http://www.estorm.co.kr

• Early Stage Business


• 19 years of company history (established in 1999)
• Focused on professional enterprise S/W development and provided SI services to the firms in the finance industry.
• Provided enterprise cloud solution to SKT, Korea Police Agency, NHIS, KB Card and many other companies.
• Developed an integrated groupware “Filing Planner” which is used in over 20 companies are actively using it.
• Sustainable Business
• Agency for all Korean mobile operators’ (SKT, KT, and LG U+) M2M business devices and wired/wireless devices.
• Delivered solutions for M2M business and carrying on value-added service projects based on the telco infrastructure.
• Collaborating with credit card VAN (Value Added Network) companies and ISP(Internet Secure Payment) companies.
• Innovative Business
• From 2013, has been energetically developing Dynamic Smart OTP solution.
• In 2014, has introduced an innovative “Service Authentication” concept by implementation of the end to end service.
• In 2014, granted Korea Internet Grand Award from Korean government in 2014.
• In 2016, selected as a security platform service by KISA Fintech Security & Authentication Center.
• In 2016, nominated as top 5 at UK Fintech Innovation Award (Cyber Security/Anti-Fraud) in London.
• In 2016, selected as a presenter for the Finovate NY and HK.
• In 2017, invited as a final competitor for the NTT Data Innovation competition.
• In 2017, being introduced as smart and good authentication method by Gartner. (https://goo.gl/K1suYK)
• In 2017, registered as IBM business partner and the integration with IBM Security Access Manager has been done.
• In 2017, opened US based DualAuth LLC. (subsidiary company of eSTORM) in Boston.
• In 2017, acquired FIDO technology and solution integration have been done.
• In 2018, signed MoU with Korean cloud service provider SmileServ to provide AutoPassword Logon Service.
• In 2018, achieved GS Mark from Korean government.
• Having many Collaborative partners such as OPA, SecuWiz, SCK, CanvasBio, NSHC, WatapLaps, SoftCamp, SpSoft and more.
• KT, Lush Korea, Namusoft, WiseHub, OKKY, KMUG, Shopping Agent, and NSHC are actively using the AutoPassword Service.
eSTORM, All rights reserved. 3 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
Issue of using static memorized password RFD
AutoPassword™

• Vulnerable and inconvenient


• The static password system that forces users enter their id/password for online services can be easily stolen passwords, and
it is vulnerable against phishing or pharming attacks.
• Often times users tend to use the similar passwords for all sites because it is hard for them to remember each different
password when using several various online services.
• Static Password Authentication is not only inconvenient but also really vulnerable against cyber attacks.

Hard to
Exposed to memorize
phishing passwords
attacks

Revealed to Annoying
pharming to enter
attacks passwords

eSTORM, All rights reserved. 4 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword overview RFD
AutoPassword™

• Automatically generates and enters passwords


• AutoPassword provides a brand new password concept that automatically generates and enters disposable password for user
to authenticate the online service by comparing the generated passwords in the mobile authenticator.
• AutoPassword code cannot be re-used even after being stolen as it is created newly every time powered by the
AutoPassword(DualAuth) technology.
• Users do not have to annoyingly memorize and enter passwords, and it provides people verify whether the online service is
valid or a pharming site.
• Provides end-to-end highly secure protection service by Irreproducibility, Dynamic, Random, Disposable, Anti-Theft,
Resistance of exhaustive attack, and convenience features.

X Free from
password stress

Prevent
Phishing

X
Prevent
Pharming

eSTORM, All rights reserved. 5 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword concept RFD
AutoPassword™

• AutoPassword concept
• A service eliminates the user’s need to memorize or type password by automatically creating and entering password for you.
• Please click below video link to understand concept in 30 sec and also retrieve “AutoPassword” movie clips in the YouTube.

• Getting AutoPassword Experience


• AutoPassword.com provides the page to get experience of using AutoPassword in PC, Android phone and iPhone mobile.

Click to understand the concept in 30 seconds


https://youtu.be/iwFr3Hj48NY

eSTORM, All rights reserved. 6 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword basic architecture RFD
AutoPassword™

• Mobile app and authentication server


• AutoPassword consists of authentication server that provides the automatic password service through connecting with
the online server and AutoPassword mobile app (client) that verifies the service on the user’s smartphone and processes
user authentication by automatically sending a user OTP on the user’s approval.
• AutoPassword provides API set so that the existing service server can smoothly be integrated with the AutoPassword
authentication server.

AutoPassword™ Service

Service Terminal
(Browser, Mobile App, Existing Service Server
PC App, Windows … )

Verifying
Provides Accesses
Service
Authentication Authentication APIs
Service

Communicating for Authentication


(Push Server will send a notification to the mobile)
AutoPassword AutoPassword™
Mobile Authenticator App. Authentication Server
(iOS, Android) (Cloud, On-Premise)
eSTORM, All rights reserved. 7 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword logon architecture RFD
AutoPassword™

• Composed by logon, authentication and AD server


• AutoPassword Logon provides the logon service to the Windows PC/Server both when online and offline.
• It supports Windows 7, 10 and Windows Servers and it is composed with Logon server, Authentication server and mobile
authenticator.
• When AutoPassword logon is combined with AutoPassword enterprise, it provides Mobile OTP feature to the user.
• It supports the AD(Active Directory) Authentication and automatically changes the AD password after every authentication.
• Admin can configure (1) User logon method (2) Approval of offline PC OTP, (3) ID/Password management and etc.

AutoPassword™ Windows Logon Service

Windows PC (7/10)
AutoPassword Logon Server
Authentication
Active Directory
1. ID/PW
(Optional)
2. Offline PC OTP Provides Accesses
3. AutoPassword Authentication Authentication APIs
Service

Communicating for Authentication


** There will be Push Server in actual system
AutoPassword™
Mobile Authentication Server
Another Windows PC (On-Premise, Cloud)
eSTORM, All rights reserved. 8 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
AutoPassword
usage and use cases

eSTORM. All rights reserved. eSTORM Confidential


Automatically generates and enters passwords
How to use AutoPassword (1/3) RFD
AutoPassword™

1. Registration and activation


• To use AutoPassword, the user navigates to the setting menu of the online service, switch on of using AutoPassword, and to
issue the user verification number. (The verification number generation can be automatic or on-demand)
• AutoPassword doesn’t gather any personal identification information of the service user except the service user ID and the
user verification number for the public service. For the company private service, it can request more personal information.
• The randomly generated user verification number according to the online service policy can be issued directly on the service
screen, or delivered through SMS(Text Message) or emails.
• The users can use the AutoPassword service by entering the web site address and verification number one time for
registration after downloading the AutoPassword mobile app. (The process can be changed per service requirements)

Turn on using AutoPassword in Service Registration Example on Mobile


eSTORM, All rights reserved. 10 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
How to use AutoPassword (2/3) RFD
AutoPassword™

2. Enjoying the authentication service


• Users only need to enter their ID on the service to login to the service like as PC OS, Web, or mobile services.
• Smartphone application authenticator will generate Service Password to get an approval from the user whether the service
is valid or compromised.
• If users try to login to the web service by using PC, AutoPassword authenticator will receive push message from server.
• When users are using the mobile phone to login to the service, users can approve logon at the notification area.
• If the user approves the service is valid, the user authentication will be automatically done by authenticator.
• After the completion of authentication, the mobile authenticator application will be automatically closed.
• The mobile authenticator application will show the result of authentication at the notification area.

Trying to connect service in PC Try to connect service in mobile


and using mobile authenticator and using mobile authenticator
eSTORM, All rights reserved. 11 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
How to use AutoPassword (3/3) AutoPassword™
RFD
3. Deactivate service
• The users can terminate the AutoPassword service anytime on the service screen. (For enterprise users, they should
follow the company policy.)
• When the user click the deactivation button on the service web user setting page, the result of service deactivation will
be delivered to the user’s phone.
• The users must re-register after terminating the service such as they change their smartphones or have to re-install after
uninstallation of mobile app.

Change Password | Deactivate AutoPassword

Service Deactivation Message

AutoPassword has been


Deactivate AutoPassword
deactivated successfully.

Deactivation request on the service web Notification of deactivation


eSTORM, All rights reserved. 12 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword use case (1/5) RFD
AutoPassword™

• Web Site Logon


• AutoPassword is well designed to provide secure login of Web Site to the users.
• The user can verify the service whether it is compromised or not.
• When user approve login to the service after validation of service, remaining authentication process will be done by mobile
authenticator application.
• After login to the service, AutoPassword has a solution of SSO and possibly login to the services without login process.
• To secure the user approval process, user can enable additional user authentication option in the mobile such as local
fingerprint, FIDO fingerprint, or PIN.

eSTORM, All rights reserved. 13 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword use case (2/5) RFD
AutoPassword™

• PC application login
• AutoPassword is good for the login security enhancement of PC application.
• To logon to the PC application, user just enters ID on the login window and click logon to get the Service password.
• Service password will appear under the ID window and at the same time the user will get notification from the server.
• The user validates the service and when it is valid, the user will approve to login to the service.
• AutoPassword can be used as single step single factor or single step multi-factor authentication by turn on fingerprint or PIN
option.
• Also, AutoPassword is affordable for the two step multi-factor authentication which user is authenticated by ID/password
method and then, automatically AutoPassword authentication service will be appeared.
• If there is sensitive information, the service can request AutoPassword authentication again to check user verification.

eSTORM, All rights reserved. 14 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword use case (3/5) RFD
AutoPassword™

• Windows PC / Windows Server Logon


• AutoPassword is well integrated with Windows OS login service.
• The user authentication will be done by AutoPassword and Windows user password itself will be automatically changed by
Windows login agent program whenever the login is successful.
• The Windows login agent will change Windows user account password with randomly generated value and high complexity.
• Because the Windows user password is inside of the Windows, the password is not exposed to others.
• The Windows login service is implemented by using Microsoft login kernel service.
• To login to the Windows Server, administrator or manager can login by using Windows Remote Desktop Connection.
• If user want to use a laptop at outside of office, user can login to the OS by using AutoPassword offline PC password.
• If user forget bringing mobile phone, IT manager will change the login method to the ID/Password temporally.
• AutoPassword PC logon also provides SSO service and it covers web service login and PC application login.

eSTORM, All rights reserved. 15 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Logon details RFD
AutoPassword™

1. Automatically changes windows account password


• If authentication is successful, AutoPassword logon agent will change the Windows user account password with randomly
generated string which is known only to the AutoPassword logon agent.

2. Provides various logon methods


• AutoPassword logon is well integrated with AutoPassword Enterprise to provide Mobile OTP authentication service.
• Without AutoPassword Enterprise OTP service, user can logon with ID/Password which provided by AutoPassword logon server.
• If the laptop is not connected to the internet or network during the business trip, user can login with secure OTP service.
- First user needs to get approval from IT manger for the offline login.
- The user needs to visit web page to get the offline OTP by using mobile phone or other PC.
• AutoPassword Logon is well integrated with Active Directory and it is possible to use authentication service of AD.

Login with Mobile OTP Login with ID/PW Offline PC Logon


eSTORM, All rights reserved. 16 Copyright © DualAuth, LLC. All Rights
eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword use case (4/5) RFD
AutoPassword™

• Smart 2nd Step Verification


• AutoPassword is a good 2nd step verification method.
• Legacy 2nd step verification is usually the user should type in the OTP code by manual and it is inconvenient.
• When user is authenticated by ID/Password, AutoPassword service password will appear automatically.
• Even if the user ID and password was compromised, the service will be secured by AutoPassword.
• For the financial transaction, AutoPassword can be used for signing the transaction and it will protect the transaction.

1st Step Verification by ID/PW 2nd Step Verification by AutoPassword

eSTORM, All rights reserved. 17 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword use case (5/5) RFD
AutoPassword™

• Login for VPN and System Account


• For the Web based SSL VPN login, AutoPassword can be easily applied to the service.
• For the Linux CLI based login, the interactive command line AutoPassword is under developing targeting 3rd Quarter of 2018.
• If the Linux system supports the RADIUS or AD, AutoPassword is applicable for those systems.
• AutoPassword can be applied standalone like as one step one/two factor authentication and also it is applicable as 2nd step
verification method.

System Account and VPN login 2nd Step Verification on CLI environment

eSTORM, All rights reserved. 18 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Disruptive Features
• Explicit and concise validation of service authenticity
• Required action for user is approval of login
• Automatic user authentication
• Extendable authentication technology
• Using hi-tech security technologies

eSTORM. All rights reserved. eSTORM Confidential


Automatically generates and enters passwords
AutoPassword Disruptive Features (1/5) RFD
AutoPassword™

1. Explicit and concise validation of service authenticity


• AutoPassword is the world first authentication system that the service ask first whether its authenticity.
• The user can concisely verify whether the service is valid or not by simple compare two number match.
• Because the users can check the service validity, they do not worry about hijacking, phishing or pharming of service.
• We have named the service authenticity checking method as “Service Password” because service ask user to authenticate.
• AutoPassword technology was introduced in Gartner report as “Well balanced authentication method”. (https://goo.gl/K1suYK)

❶ ❷
Service first asks Mobile Authenticator
user approval generates OTP by using
contexture parameters

Service
Authentication
(Secret Key x Time x Mobile IP x Push ID x
Session ID)


Check the numbers are identical

eSTORM, All rights reserved. 20 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Disruptive Features (2/6) RFD
AutoPassword™

2. User just approve the request


• After the user enters the user ID, user just need to do is checking the service validity and “approve login” to the service.
• “Approving” is simply done by clicking the OK button. “Denying” is possible with “Cancel” button.
• After the user’s approval, user can enable additional device authentication by using FIDO/Fingerprint/PIN.
• AutoPassword is human oriented authentication method because the users make decision whether login or not.

User approves or
cancels the login
to the service

FIDO, Fingerprint, PIN

eSTORM, All rights reserved. 21 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Disruptive Features (3/6) RFD
AutoPassword™

3. Automatic user authentication


• If the user approve to login to the service, smartphone authenticator application will handle remaining process automatically.
• The authenticator application will generate the user OTP by using the private key and current time, and then transfer it.
• The web site receives the user OTP from the mobile authenticator application and request an authentication to the
authentication server.
• Once the user approves the service authenticity, all the steps after then will be processed automatically.

Service
Authentication
(private key x Time x Mobile IP x Push ID x
Session ID)

User
Authentication
Private Key x Time

Automatic User
Authentication

eSTORM, All rights reserved. 22 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Disruptive Features (4/6) RFD
AutoPassword™

4. Extendable Authentication Service


• AutoPassword provides same user experience for the various services like as Web Portal, Financial Service, Cloud Service
Security, IoT ecosystem security, Windows OS login, and Linux OS login.
• AutoPassword provides easy integration with services and simply be activated with convenient registration process by
using same authenticator application.
• Especially, it is using light weight authentication method OTP and provides library for easy integration, therefore it is
rapidly applicable for the IoT devices like as CCTV.
Cloud

Fintech IoT

Portal Windows

eSTORM, All rights reserved. 23 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Disruptive Features (5/6) RFD
AutoPassword™

5. Applied ultra high security technologies


• AutoPassword has superb user experience and also integration of world top class security technologies.
• International standard FIDO which is the integration of biometric authentication and PKI technology, user mobile IP address
verification technology, NSHC mobile application shielding technology - OS hacking prevention, screen capture prevention,
mirroring prevention technologies are applied.
• AutoPassword has completed integration with TrustZone for better H/W based enhanced security and cooperating with
Samsung and LGE to provide FIDO service.
• Integration with IBM Security Access Manger was completed and registered as technical partner of IBM.

PKI
Biometric
Authentication

eSTORM, All rights reserved. 24 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Disruptive Features (6/6) RFD
AutoPassword™

6. Performance Factors
• 300 user login completion per one second
- One login means from initial login attempt to the service login success.
• 8 Core / 8GB Memory
- Shows best performance on the generic servers.
• 1,000 Simultaneous Users
- Concurrent number of users for one server is 1,000 and it is limited because of Tomcat service concurrency.
• 100 Byte for one message
- The size of a message payload from mobile phone to the server is about 100 bytes and requires low bandwidth.

eSTORM, All rights reserved. 25 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Integration RFD
AutoPassword™

• Works for integration


• The service providers need to do below two things;
(1) Prepares basic Java environment for running java application (RelayServer)
(2) Changes the login screen to display the unique AutoPassword style logon and integrate with the RelayServer process.

Relay Server
End User Service Connection JDK
• Provides RelayServer Java Application
Customer
Service JRE
JVM • Provides RelayServer Integration Guide and Sample
Host OS • To provide JDK / JRE / JVM Environment
User Terminal
Communication for Customer Service Server
Authentication SSL/VPN

Console AutoPassword Package


Communication for Authentication JDK
Web Postgre
JRE
Service SQL
JVM
Do
wn Linux (CentOS)
loa
Authenticator dA
pp
fro Authentication Server
m
Ap
pS
tor
e

AppStore

eSTORM, All rights reserved. 26 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword References RFD
AutoPassword™

• AutoPassword B2C reference sites


• AutoPassword is using for website logon, web application, PC login, PC application, VPN authentication, and IoT device
authentication and below list is for the website login cases.
• Extending the websites and currently working with spla.co.kr which provide SPLA service of Microsoft.

ShoppingAgent.com OKKY.co.kr KMUG.co.kr FreeShielding.com

eSTORM, All rights reserved. 27 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
AutoPassword Customers and Partners RFD
AutoPassword™

• AutoPassword B2B customers and partners


• Used for KT (Korean Major Mobile Operator) VPN Service for employees.

• Preparing Authentication Service to government organizations with OPA (government related association)

• Integration has been done and preparing product for customer with Korean Cloud Service provider.

• Integration has been done for SSL VPN 1st step verification and 2nd step verification.

• Registered as IBM business partner and Integration with IBM Security Access Manager has been done.
https://exchange.xforce.ibmcloud.com/hub/extension/22500d4920e3f36aa9b3c67c2ecba585

• Using for enterprise secure network file service solution login protection and groupware login.

• Using for enterprise secure network file service solution login protection and groupware login.

• Using for enterprise secure network file service solution login protection and groupware login.

• Using for enterprise secure network file service solution login protection and groupware login.

• Signed on NDA to cooperate for FIDO and security business.

eSTORM, All rights reserved. 28 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Automatically generates and enters passwords
Contacts RFD
AutoPassword™

• Contacts for AutoPassword


• What is DualAuth?
- The Human Oriented Mutual Authentication technology, DualAuth is the next generation
technology that has received attentions from the global tech competitions in places such as
Seoul, New York, London, Tokyo, and Hong Kong.
- DualAuth LLC. was established by eSTORM in the U.S. in order to provide its automatic
mutual authentication technology globally.

• Website: www.DualAuth.com
• Email: sales@dualauth.com
• Phone: +1-813-445-7472
• Phone: 280 Worcester Rd Suite 102 Framingham, MA 01702

• Name : eSTORM Co., Ltd.


• Motto : Helping People Do the Right
• Established in : 1999
• Address : Namsung Plaza #1310, #1311 130 Digital-ro, Geumcheon-gu, Seoul 08589
• Phone : +82-2-6925-0290 (Ext. 500)
• Contact : BongHo Kang, bhkang@estorm.co.kr

eSTORM, All rights reserved. 29 Copyright © DualAuth, LLC. All Rights


eSTORM Reserved.
Confidential
Thank you

2017 eSTORM. All rights reserved. eSTORM Confidential