GateKeeper, open source site opened …

A new site has been opened which allow to support the GateKeeper development effort.

GateKeeper is an authentication bar that operates from the Firefox browser chrome area (no access to remote scripts…) and that allows password authentication using the SRP algorithm. This renders password authentication insensitive to Phishing or other MITM attacks.

Additionally the GateKeeper bar collaborates with a relevant authentication portal to authenticate the website into which user is about to enter (runtime certification…)

Sites that use GateKeeper authentication are completely immune to Phishing or other MITM attacks. GateKeeper can use static password or KerPass OATH one time password, this last combination providing optimal resistance against brute force, spyware and MITM.

Meet us at l’Atelier in Paris.

L’Atelier is a Paris based technological information group, also active in the US and Asia. L’Atelier is owned by BNP-Paribas bank , and is quite unique in its focus on mobility applications.

KerPass presentation will take place on the 29th May 2007 at 09:00. Depending upon the participants, presentation is most likely to be held in French. Speakers however are fluent in English and will be pleased to answer to your questions in that language.

Participants need to register on the atelier website following the red arrow link.

Will NFC emerge ?

As others we are quite interested in the possibilities opened by the near field communication interface expected to be on a fair number of european smart phones by year 2011-2012. Our interest was initially sparked by questions asking us how the KerPass mobile transaction validation solution was related to the proximity payment systems based on the NFC technologies. As of today, there is no relation in between those two solutions except that both deal with personal transaction validation. Meanwhile in Japan and other advanced Asian countries real world point of sale payment system allow to use a mobile phone as a contactless payment card , the rest of the world is engaged in lengthy field pilot trials of payment/ticketing systems based on much the same technologies. In what follows we rapidly mention what capabilities NFC add to the ubiquituous smartphone, and mention our view that point of sale transaction validation maybe tackled as efficiently leveraging what mobile phones already have.
Read more »

One time password (Event or Time Synchronous …)

Search queries as tracted by this blog statistic system have shown us that quite a few people have ended here in search of information on which of this 2 one time password system was the best if any. We believe than when applicable , time synchronous one time password delivers more security than event synchronous. Following are some explanations on where the added value is coming from.

Read more »

Ask the demo …

Up and running a complete demo application that allows to exercise all the features of the UST token. Contact us by email [demo at kerpass.com ]to install the UST mobile client on your phone.

New KerPass web site

With the new features of the KerPass UST token (ECDSA signatures and OATH passwords) , our 6 months old website was facing the risk to grow up too large. Following discussions with some knowledgeable marketing guys , our attention was also drawn on the fact that the patient reader in quest of general information was not prepared to browse extensively the site. So the rewrite is over , we came with something shorter , moving the detailled documentation to an easy to maintain wiki.

Why in browser single sign on matters ?

As those days , it happens that we visit frequently the topic of in browser single sign on , we think interesting to clarify why we see value in such technology. The two main benefits that single sign on can deliver are :

• Help maintaining diversity of the web ecosystem
• Ease securing web applications

Maintaining biodiversity in the web ecosystem :

The lake of easy registration/sign on accross the large number of applications that are currently being maintained on the web , renders difficult the emergence of second movers.
Read more »

Introducing GateKeeper , in browser single sign on extension

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Read more »

Universal security token , pictures …

Some pictures of the coming soon mobile universal security token together with related user stories. For our fellow mobile application developers , during development we try to test on real devices as early as possible and we use for this a low end device. This allow being more efficient in adressing real world issues , as simulators are generally not matching well real device performances.
Phone display photographing is a pain , fortunatly we found a helpfull girl who knows …

First start :

As the token requires network access , we first check that the device connection has been correctly parametrized. We found good inspiration by looking to Opera mini for this. If only mobile operators were trying to help here by documenting clearly the settings for their APN on a per device basis.

Read more »

InfoCard/CardSpace getting the big picture …

Recent posts on this blog suggest our interest in “open” in browser single sign on systems. As a result we have been discussing briefly perceived strengths and weaknesses of yahoo BBAuth and emerging OpenId standards. Regarding OpenId , it has appeared to us that the enthousiasm of the community is unfortunatly not backed by sufficient technology to make the system applicable in the context of the wild open Internet. The recent announcement that CardSpace and OpenId are engaging into a mariage allow microsoft to capitalize on the buzz created by OpenId. We now see OpenId as a void shell (a remarkable online marketing success though …) , the stringent question that remains to be addressed is what is the value of this CardSpace stuff ?
Read more »