WTG New Technology CorpPassfaces Corp About the companies

WTG New Technology Corporation (NewTech) is a technology transfer company specializing in the Washington DC market. Passfaces Corporation is a security technology company, featuring Passfaces,a bi-directional, two factor, cognometric authentication system based on a patented technology that leverages peoples’ innate ability to recognize faces.

The Companies

To provide the online world with a secure, usable and affordable strong authentication solution and a practical alternative to tokens and biometrics.

The Mission

WTG New Technology CorpPassfaces Corp

Royal Credit Union

More About Passfaces

Passfaces: Strong / Two Factor Authentication and Phishing Protection

Used primarily in Banking and Healthcare Also used – without problem – for 8 years by a

major branch of the US Government Core technology is cognometrics, the human

brain’s innate ability to recognize familiar faces

CU Service Provider

Patents granted world-wide Deployed without hitch to users at a major credit union in 2008 Selected by major healthcare provider with users in 2009 Customers include:

WTG New Technology CorpPassfaces Corp Why Strong Authentication ?

Strong authentication is an essential enabler for the provision of online services It is needed for: Transaction & Data Protection

E.g. Online banking, Personal Health Records Compliance

E.g. FFIEC, HIPAA User Reassurance / Trust

Insecure users won’t use online services

And because Passwords: can be guessed or “cracked” are written down And people use the same one everywhere Users forget them (and call the help desk) And, most critically today, they can be phished!

“Passwords are the weakest of weakest links” – Bill Gates

WTG New Technology CorpPassfaces Corp Why Passfaces ?

Passfaces provides strong authentication – and phishing protection – without pain!

Easy to deploy Leverages existing password infrastructure No user hardware or software – works in browser No new servers or databases

Easy for users No device to lose or forget No personal questions/answers to remember Machine & location independent – i.e. fully portable Built-in anti phishing does not require user attention

Easy for administrators [Almost] no resets Actually liked by users

Easy on budgets Less than one tenth the cost of tokens Save on purchase, implementation and support

WTG New Technology CorpPassfaces Corp Passfaces is Different

Graphics and images are among the simplest and most effective means to communicate and interact with people

But, like a password, you still need to recall a graphic or image

Faces are Different The brain uses a dedicated, intuitive process

to “learn” and remember faces The brain recognizes, not recalls, faces Face recognition is a universal skill –

independent of age, language or education

Source: Face Recognition: A Literature Survey. National Institute of Standards and Technology

Passfaces is a graphical authentication system

WTG New Technology CorpPassfaces Corp Passfaces Strong Authentication

Passfaces provide a simple, but powerful, means of overcoming the vulnerabilities of passwords

Passfaces are used with a password to provide two factor or strong authentication

For two-factor authentication, users are typically assigned 3 secret passfaces in addition to their password

Here are

your

Passfaces

WTG New Technology CorpPassfaces Corp Passfaces Strong Authentication

To log on, users pick out one of their Passfaces from a challenge grid of 9 faces

Each challenge grid contains 1 Passface and 8 decoy faces

The process is repeated for each of the users’ Passfaces

Click On Your Passface

WTG New Technology CorpPassfaces Corp A CREDIT UNION DEMONSTRATION

For your convenience, we would like to show you a brief demonstration of a credit union's use of Passfaces for their online members

WTG New Technology CorpPassfaces Corp

1. Security – better than passwords alone2. Usability – no complex pass codes or procedures3. Non-Intrusive – users are averse to change and reluctant to do more4. Visibility – users want to see that companies are increasing security 5. Mobility – users log on using different PCs in different locations6. Consistency – of user experience7. Reliability – no false rejection, no system errors, no user errors8. Bidirectional – verify the User to the Site AND the Site to the User9. Flexibility – for varying risk levels and customer choice 10.Easy Integration – with current systems and procedures11. Low Cost – Procurement, deployment and ongoing maintenance

Source: Gartner Inc.

Strong Authentication Requirements

Usability is key – especially for consumers. If they can’t or won’t use the security system, then it won’t work!

WTG New Technology CorpPassfaces Corp What Are the Alternatives?

BiometricsSmart Cards

Tokens

Crypto CookieCode Cards

Keypad Scrambler

WTG New Technology CorpPassfaces Corp Strong Authentication Alternatives

PassfacesVirtual Keypad

BiometricsRisk

AnalysisCode Cards

Crypto Cookies

Smart Cards

TokensPersonal Pictures

Security █ █ █ █ █ █ █ █ █

Bidirectional █ █ █ █ █ █ █ █ █

Intrusiveness █ █ █ █ █ █ █ █ █

Visibility █ █ █ █ █ █ █ █ █

Usability █ █ █ █ █ █ █ █ █

Mobility █ █ █ █ █ █ █ █ █

Management █ █ █ █ █ █ █ █ █

Integration █ █ █ █ █ █ █ █ █

Rollout █ █ █ █ █ █ █ █ █

Cost █ █ █ █ █ █ █ █ █

Click On Your Passface

█ █ █Good OK Bad

Passfaces is unique in meeting all the requirements for strong authentication

WTG New Technology CorpPassfaces Corp

Integrates Passfaces with any Internet platform

Includes Server-side code Passfaces Web Clients Administration Console Reference Implementations Detailed integration information Passfaces Image Library

Passfaces For NFCU

WTG New Technology CorpPassfaces Corp

Existing UserDatabase

ODBC or LDAP connector or

JDBC/JNDI Interface

Web

Ser

ver

Passfaces Web Access

End User Client

Java Script, ActiveX, or Java

No Software or Installation Required

Ap

plic

atio

n S

erve

r

Windows, Java, or SDK

Face LibraryPassfaces Admin

Existing Web Application Integrated with

WTG New Technology CorpPassfaces Corp

Passfaces Web AccessSeparate Passfaces Server

(JavaScript, ActiveX or Java) No installation!

Web Users

Passfaces Web Client

Web Server/Outlook Web Access

Internet

Existing Application Server

Passfaces Server (Windows IIS or Java) SSL

SQL Database orLDAP Directory Server

AD or SQL Database orLDAP Directory Server

Administrator

Passfaces Admin Console

WTG New Technology CorpPassfaces Corp

SSL

Passfaces Web Access – Architecture for SSL VPN Connectivity

Corporate NetworkPassfaces

Admin ConsoleWeb Users

Passfaces Web Client

Passfaces Server (Windows IIS or Java)

DMZ

Login information and control

Co

rpo

rate Reso

urces

SSL/VPN

AD or SQL Database orLDAP Directory Server

WTG New Technology CorpPassfaces Corp

SSL

Passfaces Web Access – Architecture for Citrix Connectivity

Corporate NetworkPassfaces

Admin ConsoleWeb Users

Passfaces Web Client

Passfaces Server (Windows IIS or Java)

DMZ

Login information and control

Co

rpo

rate Reso

urces

Citrix Server

AD or SQL Database orLDAP Directory Server

WTG New Technology CorpPassfaces Corp

Everything Needed to Add Passfaces

Administration Console Web Based (Java application servers) Windows (Microsoft IIS)

Server-side code Java class package Java servlet (HTTP interface) ISAPI extension DLL for Microsoft IIS

Passfaces Web Clients JavaScript / Java applet / ActiveX

Reference Implementations Sample JSP/ASP/HTML pages

Detailed integration information Passfaces Image Library

Standard or Custom

WTG New Technology CorpPassfaces Corp Customizable User Interface

Add Your Logo

Change Background Colors

WTG New Technology CorpPassfaces Corp

Integrated, Editable User Help Manual

User Authentication

Thornberry is adding Passfaces, an enhanced logon procedure, to our online services. The new process places an additional security lock to existing Online IDs and passwords. We are taking this step to provide the best protection possible for your online account information.

Users are required to enable Passfaces over the next thirty days. You will be prompted to enable Passfaces each time you login. We recommend you enhance your login security as soon a s possible. The process takes from 3 to 5 minutes. We also recommend you View the Demo before starting the process.

Thornberry Authentication

Link to Passfaces Help Modify Files to Create a

Custom Help Manual Add Your Logo Easily edited HTML lets

you add sections specific to your Web Access procedures

Built In Help

WTG New Technology CorpPassfaces Corp

NIST Acknowledgment of Passfaces?

From NIST 800.63 Appendix A2 page 61:

A.2 Other Types of PasswordsSome password systems require a user to memorize a number of images, such as faces. Users are then typically presented with successive fields of several images (typically 9 at a time), each of which contains one of the memorized images. Each selection represents approximately 3.17 bits of entropy. If such a system used five rounds of memorized images, then the entropy of system would be approximately 16 bits. Since this is randomly selected password the guessing entropy and min-entropy are both the same

value.

It is possible to combine randomly chosen and user chosen elements into a single composite password. For example a user might be given a short randomly selected value to ensure min-entropy to use in combination with a user chosen password string. The random component might be images or a character string.

WTG New Technology CorpPassfaces Corp Customer Testimonials

“Passfaces is one of those products that just works… We installed it 7 years ago and have never had a problem with it… I see all these complicated new authentication systems being introduced by the banks and wonder why they don’t just use Passfaces.” CISO, US Government.

“We selected Passfaces as it not only raises the bar in terms of security, but it is both easy to use and to implement.” David Vandeven, President/CEO Midwest Independent Bank.

"ParadigmHealth was an early innovator of website security and authentication. Security and data privacy remain our focus, but now with Passfaces we are also highlighting the importance of increasing ease of use. Passfaces fully addresses the authentication requirements for the large-scale deployment of Personal Health Records." Tom Hagan, ParadigmHealth CIO.

“Thank you again for your support, your product is already making my life a lot easier and you can quote me on that if you like…” Paul Osnes, CIO Easter Seals of Southern California.

“Passfaces was so unique and we felt our client base would find it very much ‘cutting edge’. We wanted something exciting; something different that had security second to none. It excited our folks internally and I knew it would excite our client base as well.” Tom Leib, Product Manager RC Olmstead.

“Buckeye State Credit Union understands its members concerns for secure online banking. We feel that our member’s financial information is worth the best and most secure layer of authentication we could find. That is why we chose Passfaces. This is much more secure than asking questions like your mother’s maiden name or your favorite pet’s name, or choosing a static picture like a watermelon or a beach scene as your login sign.… Our initial rollout was far more successful than I had ever imagined. My staff and I were prepared and we set realistic expectations that were exceeded. Sometimes the right choice is hard to make but today I am confident that our member’s information is secure because of Passfaces.” Charles Stanfield, Information Systems Director, Buckeye State Credit Union.