Wave Systems Corp. (fka WAVXQ)

[Genz2]

How Web Authentication May Change the Future of Passwords

Shouldn't Web Authentication or similar products have the premier TPM management company (Wave) and its product ESC/ETS used to help manage the TPM?

https://www.programmableweb.com/news/how-web-authentication-may-change-future-passwords/how-to/2018/07/19

Using WebAuthn or Web Authentication clients can be verified with their phones, hardware keys, or trusted devices. In his article, Nick Steele explains the new standards in web authentication, followed by registration and authentication where you’ll find PIN and biometrics access methods, then he comments how web browsers use a credential manager API.

Web Authentication

Trusted platform module devices that secure hardware through crypto keys and mobile phones are two of the many ways to authenticate via the web. Users can be authorized by fingerprints with biometric verification, although additional bio methods exist like retina and iris patterns, hand geometry, earlobe geometry, voice waves, and DNA. When a customer is accessed via web, passwords no longer will be necessary.






Registration

When a user registers, the created credential confirms to the web app owner that access is granted. This method replaces ordinary U2F cases, in which one security key instantly validates user presence. U2F is used by Facebook, Gmail, Dropbox, Salesforce.com, and GitHub. Think about the times when you’ve confirmed identity to Gmail by entering a number they send you via text message on your phone.

The author clarifies registration with an example: A user visits the website cat-facts.com from a laptop, registering for an account. By pressing the registration button, a prompt on their phone says “Register with cat-facts.com.” When they accept the request, the user could use a PIN or a biometric action (like a fingerprint) that will be linked to the created account. This action will display a confirmation: “Registration complete!” This user is now registered and the system has recorded the authorization gesture for future access.

The same image the author shares makes me think on my phone when I download an app from the App store.

Authentication

The credential created by the user is a keypair, a public key associated to a private key. The device the user is trying to authenticate will send verification data to prove user identity. When the user confirms presence, the data will be returned signed by the credential private key, authenticating the user to the device.

To demonstrate WebAuthn, let’s imagine a user registered a second account at the site example.com and the person is browsing on a phone. As the user types the address example.com, the option to login is chosen and two accounts will be displayed. The user will select the account and then prompted to enter a PIN or a biometric authentication linked to the account.

Credential manager API and… the end of passwords?

WebAuthn aims to provide biometric multi-factor authentication unique, like a fingerprint from a smartphone, voice, or retina. Eye verification would be from a short range distance, although an iris scanner that captures an eye from 40 feet away has been already developed by the Carnegie Mellon University College of Engineering. The idea is to authenticate with particular traits to increase security and replace passwords.

WebAuthn currently only supports two-factor authentication that in most cases include username and password in addition to authentication via smartphone. If a biometric verification is not accessible, entering a PIN can work because still, it will be browser-protected by Google, Microsoft, and Firefox. Verification stored by browsers could be handled by a Credential Manager API that Google uses in Chrome. As W3 defines, the API enables a website to request a user’s credentials from a user agent, helping the user agent correctly store user credentials for future use.

The end of passwords is not near yet. The author predicts Firefox and Google could release the WebAuthn API within the next months.

He has developed a web app in Go hosted on GitHub to demonstrate how WebAuthn registration and authentication work. You can try out the code via webauthn.io, a Firefox Night Build.

https://www.wavesys.com/products/embassy-security-center

This puts the endpoint in endpoint security

A key piece of the Wave alternative, Wave’s EMBASSY® Security Center is what lets you manage all the functions of your Trusted Platform Modules (TPMs) and self-encrypting drives (SEDs)—hardware security features already embedded in most business-class PCs and tablets. When installed on each of your desktops, laptops, tablets, and so on, this feature-rich software carries out the commands you issue remotely with our EMBASSY server products.

Key Features:



Easy security compliance
• When your endpoints are secure and reporting is in place, you’ve got compliance covered

Data protection
• Configure your VPN so that only authorized machines can access it from the outside
• Multi-factor authentication options include any combination of individual passwords, a master password, biometrics, smart cards, or a TPM PKI certificate
• Easy backup and recovery of TPM keys in case of malfunction of the TPM, motherboard, or hard drive
• Enables hardware-based pre-boot authentication to the encrypted hard drive (if equipped)

Simplicity
• Central management of security policies at the machine and user levels via our EMBASSY Remote Administration Server
• Deploy TPMs from multiple manufacturers using a single management system
• Deploy SEDs in minutes that integrate seamlessly with single sign-on (SSO) to Windows and Windows password synchronization

No compromises
• More security without more passwords to remember
• Your devices will perform just the same—our software makes them safer, not slower

Windows 8 Compatibility

• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console


• ESC supports Windows 8 Pro & Enterprise tablets so the same tools can secure all your enterprise endpoints


Application development
• Accelerate your application development, determine compatibility of your application and the TPM by using Wave’s Cryptographic Service Provider or Key Storage Provider, both included with the Embassy Security Center