Arcot Systems Inc says it has developed a way of providing authentication for internet applications using a smart-card-style security technique that requires none of the investment in smart card hardware. A single software token or sign-on mechanism enables users to activate a collection of online accounts, each of which in itself may require a different password, PIN or other PKI Public Key Infrastructure certificate. Instead of using strong encryption to hide the password, the company’s ArcotCard software uses a camouflaging mechanism which generates a slew of bogus passwords in addition to the real one. The password which gives a user entry to applications is effectively hidden in stream of nonsense.
Like bank ATM smart cards which reject a card after three failed attempts at providing a PIN number, so Arcot’s server software can recognize fake passwords and deny access to applications. The software makes it difficult for anyone who tries and break security systems using computers to guess millions of passwords.
ArcotCard is a client applet the company will give away which also allows mobile users to access applications from any browser on the network. WebFort is server-based software that Arcot will sell for securing internet applications using ArcotCard. The 18- month-old Palo Alto, California-based company says it can work alongside existing PKI authentication systems such as Verisign or Entrust. It deploys certification management but goes one better than conventional PKI offerings which either require smart card hardware – which few PCs have – or default to conventional software containers or browsers at the front-end. These are susceptible, Arcot says, to the brute force approach of trying millions of passwords.
WebFort costs from $15,000 on NT, Solaris and HP-UX. Tibco Software is going to use Arcot to secure its publish-and- subscribe software used mainly by financial services companies. Arcot will focus on online business-to-business commerce, financial services and healthcare industries. It sees its chief competition coming from Security Dynamics.
