| Product
/ Technology
What is TiPSM?
TiP (Theft of Identity Protector) is a highly transparent
multi-factor web authentication product. TiP is typically
deployed where high-value web-based assets are protected
by username and password authentication, as it provides
a non-intrusive means of increasing security with minimal
impact on user convenience.
Why is TiP better
than physical biometrics?
The key advantages of TiP over physical biometrics is
severalfold. First, TiP is highly transparent. In most
situations the end user is not even aware of TiP’s
existence, versus having to carry a piece of hardware
around with them when they wish to authenticate. Injecting
TiP’s high security comes at little or no burden
to the user. Second, TiP is difficult to compromise.
Whereas PKI keys, smart cards and tokens can be stolen
along with their passwords and biometric access can
be compromised under duress, behavioral authentication
patterns and profiling are much more difficult to steal.
These are things even the protected customer does not
really know.
What are the main
benefits of your technology over other approaches?
The key drivers of our technology are:
- Transparency – Significant additional
security (fraud reduction, privacy
protection) with minimal impact to end-user
- Cost/Performance – Greatly increased
security for small impact on
convenience and deployability.
- Practicality – Other “strong
authentication” methods are simply not
practical for web-based resources which have a very
large customer base.
Hardware-based solutions such as tokens and smartcards
are expensive,
difficult to manage, and inconvenient to the typical
web user.
How does your product
work with existing Single Sign-on (SSO) solutions?
TiP is not a SSO solution in itself, but rather compliments
SSO solutions perfectly. The advent of SSO solutions
heightens the need for tighter security, because a single
gatekeeper is controlling the “keys to the kingdom”.
TiP interfaces with existing SSO solutions in the same
way it integrates with existing proprietary and individual
authentication resources--it simply sits between the
successful authentication event and the resource provided
access to, if successful.
What platforms does
TiP support?
TIP currently supports the following operating environments:
Operating Systems: Solaris 8, Windows 2000
Servlet Container: Apache Tomcat
Database: Oracle 8.x, mySQL
How do companies
integrate your product into their existing authentication
architecture?
TiP exists behind your existing authentication mechanism,
whether you are using a proprietary mechanism or a leading
Single Sign-On solution. TiP plugs into your existing
architecture with a straightforward API.
What is the basic
architecture of your product?
A TiP agent runs on your web servers. The agent communicates
with the TiP server, which resides behind your corporate
firewall alongside your existing authentication solution.
Incoming HTTP requests are passed along to the TiP engine
which calculates a confidence index (probability that
the user is authentic) and takes action accordingly.
If the user’s confidence score is too low, TiP
will provide for prompting the end user with a challenge
question.
What kind of user
load/throughput can TiP support?
TiP will perform commensurate with existing enterprise-class
single signon solutions, serving hundreds of authentications
per second. Specific performance numbers coming out
of our labs are 200+ authentications per second with
400 concurrent users on the following low-end hardware
profile:
- Intel x86 process running 600 MHz
- 512MB RAM
- Database (Oracle) on second
intel machine: AMD Athlon 1.4Ghz, 1GB RAM
We are currently testing the scaling
factor by running similar tests on different sized hardware
and fully expect it to scale smoothly to achieve superior
results on enterprise class hardaware. A typical enterprise
deployment might look something like this (will obviously
vary depending on usage profile and need):
- 2-4 CPU (~400Mhz) Sun SPARC Server
running Solaris 8
- 1-2GB RAM
- Dedicated Oracle Database running
on a separate similar machine.
Therefore incremental latency added to
existing authentication solution should be absolutely
minimal.
How do we accurately
profile users authenticating from AOL servers?
Although we don't know the precise geo-location information
from such users, we can resolve their location to the
country-level. Regardless, IP geographic location is
but one of many factors in determining the arrived-at
confidence index generated by TiP.
We are developing other creative solutions
such as placing a special TiP cookie on the user's machine
to add an additional point of validation in such cases.
The cookie is by no means beyond compromise (it could
be stolen), but, as with other factors, it would add
significant 'points' to the overall probability
that the TiP authentication assessment is 'correct'.
Corporate
Why did NetGeo change
its name to Verifia?
The change from NetGeo to Verifia reflects the company's
new focus on Internet security products, particularly
the areas of login authentication and online identity
verification. Verfia's new Theft of Identity Protector
(TiP) solution is a powerful application that provides
online fraud detection well beyond the capabilities
of our previous InfoScope product.
Other
What about InfoScope?
Verifia will continue to support InfoScope in accordance
with our customers' business needs and our contractual
agreements. Verifia values its InfoScope customers and
will continue to provide them with value-added solutions
for their business intelligence needs. In fact, Verifia
has incorporated the InfoScope technology into its new
TiP solution and the company believes that the new product
is even more relevant to an organization's Internet
operations.
|
