The company's chief technology officer and co-founder, Kamil Kreiser, told iTWire during an interview that as far as he was aware there were no competitors which used similar technology.
"Our patented technology protects the user’s secret PIN (knowledge factor) so that the user’s PIN is never entered, transferred or stored anywhere, except in the user’s memory, making the user’s secret PIN safe from capture and compromise," he explained.
Kreiser (below, right) describes himself as "a technology entrepreneur and inventor at heart with multiple exits and some failures under his belt".
"The company has been able to develop a solution that allows a user to prove they know a secret without ever revealing it (achieving a zero-knowledge password proof), without the use of an algorithm or the need to store the user’s secret PIN anywhere except in that user’s memory – this is unique and a significant advancement for security generally," he claimed.
He said the breakthrough had been recognised both through market traction (with key deployments with legal, financial and government sites) and when TokenOne became the first Australian company to be selected for a US National Cybersecurity Centre of Excellence consortium project.
Apart from his technical expertise, Kreiser has spent more than 15 years as a business consultant in the development and implementation of growth strategies for SME, corporate and international clients, including Suncorp, AWA, Flight Centre, DC Strategy, Darrell Lea, Gizmo, Xpresso Delight, Pie Face and many others. He was interviewed by email.
iTWire; Can you describe, in layman's language, the security model adopted for the TokenOne technology?
Kamil Kreiser: Cyber crime is increasing at a dramatic pace and has now significantly overtaken the illegal drug trade as a revenue generator for criminal organisations. More problematically, with a US$3 trillion global cost in 2015 and a projected US$6 trillion cost in 2021, the number of attacks is only predicted to grow.
At the core of these attacks is the theft and re-use of weak and compromised passwords. The 2017 Verizon Data Breach Investigations Report states that 81% of all data breaches are a result of theft and re-use of weak or stolen passwords.
The issue with passwords is not only that we’ve got far too many and either write them down, re-use them or just forget them. But the real problem is you have to reveal your password (by typing it into a computer or speaking over the phone) which makes the password vulnerable to theft and re-use. Sounds obvious, but no one ever thinks of it that way because there’s never been any alternative – till now.
TokenOne’s patented technology ensures you never enter, reveal or transmit your secret TokenOne PIN. And uniquely, it’s never stored anywhere either, except in your memory. This means no-one can determine your secret PIN to steal your identity and impersonate you. Not a hacker, or TokenOne or even a rogue employee of the service you’re trying to access.
This new approach to dealing with secrets, or the Knowledge Factor in authentication security (the "something you know"), not only makes the TokenOne solution extremely secure but also allows TokenOne to be implemented alongside existing and emerging technologies, like biometrics, as a way of strengthening the overall solution.
In what way is it superior to using, say an RSA token and generating an authentication code for each transaction?
RSA, as well as other authentication solutions, complement their algorithmically generated OTP with a password to ensure that the authentication is done by the registered user and not merely someone who had access to that device or algorithmically generated code.
Passwords are now recognised as the weakest link in the authentication solution chain as the password is a credential that can be compromised and re-used by a hacker. Solutions that complement their authentication mechanism with a password, therefore, have a potential inherit flaw in that authentication chain.
The ultimate goal with any knowledge factor, whether a complement to another factor or as a stand alone solution, is to have a zero-knowledge password proof – a way for the user to prove they know their secret knowledge factor without ever revealing it. TokenOne achieves this through its patented approach and secures the knowledge factor in a way that cannot be compromised.
TokenOne is unique when compared to other authentication solutions like RSA tokens (both hardware and software versions) because:
- TokenOne is not based on an algorithm This ensures that TokenOne is not vulnerable to someone cracking an algorithm and compromising multiple accounts and all the reliant services.
- With TokenOne, the user’s secret PIN is never revealed. TokenOne is a "Zero Knowledge Password Proof" which simply means I can prove to you that I know my TokenOne PIN, and therefore it definitely is me (a crucial difference to RSA tokens) BUT without revealing my PIN to you so you can’t steal and re-use it to impersonate me to commit fraud and identity theft.
Scalable deployments are often dependent on users being able to self-create their PIN and manage their account on an ongoing basis. While many clients choose to manage the process of deployment, TokenOne also allows full self-management of the account by the user following rules of identity verification and provisioning set by the organisation.
How do organisations like banks or finance companies react when you approach them (assuming you have) about taking up the TokenOne technology?
Escalating incidences of mass data breaches, and media coverage of them, are driving increasing legal obligations on organisations to protect private and confidential user data (employees and customers). As a result, the appreciation for the need for strong authentication, rather than just weak passwords, is increasing correspondingly.
Organisations that understand the principles which underpin TokenOne’s approach to protecting the "something you know’ or "Knowledge Factor" in authentication security are excited about the possibility of deploying a solution that (a) keeps the bad guys (hackers) out and (b) ensures authorised users can be held legally and provably accountable for what they do and what they access where confidential, private or sensitive information is concerned.
Does having an smartphone app as an intermediary not add one more step in the process which can be exploited? Especially since you cater to Android and Windows as well?
TokenOne is based on tried and tested "One-Time Pad" principles from the Cold War and before. One-Time Pad is the only universally accepted form of uncrackable encryption used by spies and the intelligence community for decades for highly secure covert communications. At its core, what we have done is to take One-Time Pad principles and apply them to user authentication (proving you are you) rather than secure messaging.
To do the one-time pad, that used to be a code book, is now the TokenOne app on a smartphone. However, the user’s secret PIN is not stored on that phone (or in the TokenOne server) so an attack on the user’s TokenOne app won’t reveal the user’s PIN to the hacker.
You have mentioned three factors on your website to explain the tech: the knowledge factor, the possession factor and the inherence factor. Can you elaborate on these three?
In authentication security there are three categories or "factors" of authentication that can be used to prove you are you in various scenarios such as logging in to a secure website, transacting, confirming identity over the phone or accessing an ATM or physical space (e.g. an office or secure space):
- Something you have (the possession factor) – possession of a physical device like a smartphone or hardware token (e.g. RSA Tokens);
- Something you are (the inherence factor) – a biometric such as fingerprint, face or voice; and
- Something you know (the knowledge factor) – prior to TokenOne this was weak and insecure passwords that don’t change from one authentication challenge to the next so that, if compromised, can be re-used.
TokenOne’s focus is to revolutionise the Knowledge Factor to enable the user to prove knowledge of their secret PIN (knowledge factor) without ever having to reveal it.
Importantly "two-factor authentication" or "three-factor authentication" require a combination of these factors (e.g. a biometric and knowledge of a PIN) never two or three of the same factor (e.g. not two physical devices or three biometrics).
As a result, TokenOne actually complements biometrics and hardware devices, rather than competing with them in some way, to provide very high security solutions as required by our clients.
Are there other companies that have similar technology and compete in your space?
Not as far as we are aware. TokenOne’s patented technology is unique in the way it protects the user’s secret PIN (knowledge factor) so that the user’s PIN is never entered, transferred or stored anywhere, except in the user’s memory, making the user’s secret PIN safe from capture and compromise.
Under what circumstances could your authentication system be broken by an attacker?
Organisations around the world spend vast amounts of money on firewalls, VPNs, data encryption and intrusion prevention technologies. However, if the wrong person (a hacker) can pretend to be the right person (the authorised user) they can circumvent all the data protection systems and simply walk in the front door. This is why TokenOne is such a profoundly important technology.
Similarly, if vulnerabilities exist in the data protection systems, the strongest forms of authentication security like TokenOne won’t be able to prevent hackers accessing that data if they can find a side door to circumvent the need to authenticate themselves.
Why is your company still so low-key? Is it that you are not big-noters or are you waiting to see how things go before making a little more noise about what you have to sell?
Rather than focusing on promotion of the TokenOne brand, we enable our partners, such as software vendors and managed service providers, to white-label our technology and go to market with their own branded products.
How did you come to be selected by the US National Cybersecurity Centre of Excellence to be part of a consortium to tackle ID theft and fraud?
In September 2016 our chief executive, Phil Cuff, was invited to present at a high-level cyber-security event at Pentagon City just outside Washington DC. The audience included senior US military and intelligence community personnel as well as cyber security professors and experts from around the world. Cuff was asked to present “A One-Time Pad for the Digital Age” and why TokenOne is in the national interest of the United States and other countries.
As a result of this presentation we were then invited to present to the team from NIST (National Institute of Standards and Technology) at the US National Cybersecurity Centre of Excellence in Rockville, Maryland.
Any moves to market your technology in China or India?
TokenOne believes there is a universal benefit for both companies and users everywhere to protect their accounts in a way that cannot be compromised. The market for the TokenOne solution is therefore global.
Currently, TokenOne’s core market is Australia with expansion into the US and Europe starting in 2018. However, we have filed patent applications in multiple countries and regions including China, South Korea, Japan, Brazil and Mexico, as well as Europe and the US.
Absolute security is said to be impossible. What is your watchword as far as security goes?
Security is only as strong as the weakest link. We’re very keen to ensure our partners and clients look at the whole picture of cyber security and cyber risk to ensure our authentication security technology cannot be circumvented.
Most importantly, we need to make sure that the approach to the knowledge factor evolves away from credentials that cannot be stolen, compromised or re-used by hackers.