NetAuthority Develops Dynamic Key Security Client for Accessing Web Apps

 
 
By Robert J. Mullins  |  Posted 2012-05-22
 
 
 

Device security startup NetAuthority emerged from stealth mode on May 22 with a beta product it says protects access to Websites, Web-based applications and software as a service apps with a layer of security that basic username and password technology doesn't provide.

The NetAuthority security application installs a lightweight software client on each registered device, such as an employee's desktop, laptop, smartphone or tablet computer. The client generates a dynamic device key that is authenticated by the NetAuthority Device Authentication Service to grant access to authorized users. All this happens while users enter their usernames and passwords on the target Website, and the authentication is done without any extra steps required of the user.

The authentication process adds security without adversely affecting the user experience, said Chris Brennan, founder and CEO of NetAuthority, which was organized in September 2011. The authentication client can protect Website customers when they access their bank accounts and it can secure various sales applications that access customer relationship management information or the increasing array of software as a service (SaaS) offerings.

There are security systems that deliver multifactor authentication through the use of external tokens or digital certificates, but they can be complex, expensive and require extra steps on the part of the user that can diminish their experience, Brennan said.

"In financial services, a bad user experience leads to a lack of customer loyalty and increased customer churn," he said.  "They're not going to use a technology that introduces frustration to their users."

Another major advantage of the technology is that the end-user device is registered with NetAuthority and tied to a specific user. That prevents a cyber-criminal from accessing someone else's checking account by stealing the account holder's username and password. If they're not logging in from the registered device, the criminal can't get in.

When a user is at the log-in screen of a particular Website or Web app, the application on the device executes a function call to NetAuthority, which confirms the device is registered and sends a small encrypted file back to the device to generate the key and provide access, Talbot Harty, vice president of product management and development for NetAuthority, explained.

The exchange between NetAuthority and the device is encrypted so that it can't be picked off in the air by a cyber-criminal launching a so-called man-in-the-middle attack, Harty said. Also, a new authentication key is created each time someone logs in, so even if the key is stolen, it won't be of any use to the thief later on.

"[Because] it generates a unique dynamic device key for each session, it's not static like a digital certificate or a cookie that can get ripped off or cloned," he said.

Concern about Web security is growing as network and data breaches continue to spread, and as consumers and workers increasingly depend on Web access from mobile devices. Cyber-criminals are also constantly finding new ways to steal passwords, user identities, credit card numbers and other valuable information.

NetAuthority cited a study conducted by the Ponemon Institute for antivirus software vendor Symantec that said that the average cost of a security breach by a company was $7.2 million in 2010.

Rocket Fuel