How Tyfone solution is able to secure the ID & transactions

We got opportunity to connect with Tyfone executives which allowed us to know more about their overall company & the technology they are implementing globally.

Who is Tyfone?

Tyfone, Inc. is a secure ID and transaction company focused on providing the most complete solution to rapidly growing cyber threats, especially a mobile environment that depends on the cloud. The new threats predominantly stem from criminals compromising people’s credentials used to gain access to enterprise networks from remotely located desktops, laptops, tablets, and especially mobile phones.  Tyfone’s solution is geared to enable secure ID and transactions for any industry vertical including government, health care, critical infrastructure, as well as banking and payments.  Founded in 2004, Tyfone is headquartered in Portland, Oregon with research and development and business development offices in India and Taiwan.

How is Tyfone funded / who are its investors?

Tyfone is privately funded with investors that are both individuals and institutional in nature, including Ojas Venture Partners, HDFC Holdings, Polaris Software Labs and In-Q-Tel (IQT).

Who are Tyfone’s customers?

Tyfone’s international roster of customers represents financial institutions and governmental departments.  In the U.S., Tyfone counts 2 of the top 10 member-owned financial institutions, Security Service Federal Credit Union and Star One Credit Union, among its bank and credit union customers.  Tyfone recently signed a strategic agreement with In-Q-Tel (IQT) to bring Tyfone’s mobile security solutions to address the needs of the U.S. Intelligence Community.  Tyfone also has a customer in Abu Dhabi and significant working relationships with entities around the globe, including in India, Indonesia, Spain and China.

What is the Tyfone CSC solution?

The Connected Smart Card (CSC) is Tyfone’s security solution, enabling identity storage and management locally on end-user devices for the most secure access to any server and to data stored centrally in the cloud.  Such a “local ID with central data” segregation is becoming increasingly critical as it is very common for users to access email, bank accounts, ecommerce portals, health records and other important digital information stored in cyber space using only a user-generated password to gain access.  More and more these digital assets are stored centrally in the cloud, but so too are all the passwords that control access to these assets, making valuable data more attractive to hackers.  The reason why passwords are also stored in the cloud is because when a user requests access with a password the server has to have a representation of the password to respond Yes/No to the access request. Typically, when this request-response “one-sided” verification is used, the sessions require the verification of the server but not the end user.  The increasing power and lower cost of computing creates a paradigm that is increasingly vulnerable to cybercrime, a situation that is rapidly getting worse (interrelated, see Moore’s Law for Hacking graph on page 2).

tyfone-1

According to Wired Magazine, in just the last 18 months, 280 million passwords have been compromised, and Deloitte predicts 90 percent of all user-generated passwords are vulnerable this year.

Tyfone’s CSC solution (http://youtu.be/fkdZmKitSIA) mitigates existing cyber security vulnerabilities through a unique combination of hardware products, software solutions and hosted services that enable financial, government, healthcare and other enterprises to ensure that passwords, biometrics, credit cards and other user IDs, as well as the access to sensitive server-based information, are never compromised.  Moreover, the rapidly growing threat aided by “Moore’s Law for Hacking” – the ever increasing power and cheaper hardware enabled by Moore’s Law that criminals can use for hacking – requires a solution in the form of hardware based ID and transaction security.  Interrelated, the National Institute of Standards and Technology (NIST), a federal technology agency under the Department of Commerce recently issued draft standards 800-164 calling for hardware based solutions for mobile devices.

At its core, Tyfone’s CSC technology enables “two-sided” certificate verification, where not only the server being accessed is verified, but also verifies the identity of the person seeking access.   CSC creates an impenetrable safe to locally store IDs inside hardware that protects the use of passwords, credit card numbers, biometrics and other access credentials, thereby creating the best possible defense against cyber criminals and hackers.

Tyfone’s CSC solution puts this safe – actually called a secure element – onto the ubiquitously used smart card, so people can conveniently and securely carry all their digital IDs, while leaving access to information and data centrally stored in the cloud.  Because smart cards are used in everything from mobile phones to credit cards to identity cards, the proliferation of this security solution will not require fundamental changes in technology or user behavior.  Tyfone has also put this CSC technology on a microSD card and wearable form factors, such as Key chain and Wrist band, to bring even greater convenience, and extend its use across a wider number of devices (see related illustration on page 3).

tyfone-2

How does Moore’s Law apply to security and why should we all be concerned?

Moore’s Law speaks to the rapid growth and reduced cost of computing power.  When applied to “one-Sided” security methods requiring the storage of user identities in the cloud, the ability for cyber criminals to hack and compromise access credentials will outpace the practical ability for user passwords to grow in size and complexity for those methods to be used.  The cyber world is near or already at the “point of no return” where storing any access credentials in the cloud is safe.

I want to make sure I understand “Moore’s Law for Hacking.”  Why should my readers care?  

As mentioned, Moore’s Law speaks to the rapid growth and reduced cost of computing power.  When applied to the request-response security paradigm requiring the storage of user IDs (Passwords or OTPs) in the cloud, the ability for cyber criminals to hack and compromise access credentials will outpace the practical ability for user passwords to grow in size and complexity for those methods to be used.  This is what Tyfone refers to with “Moore’s Law for Hacking.”  Reiterating, the cyber world is near or already at the “point of no return” where storing any access credentials in the cloud is safe.

How does Tyfone’s CSC solution change everything?

The inherent flaw in password (both static password and dynamic one-time password) authentication systems that today use a “one-Sided” verification methodology is that when the user submits his or her password, the centralized server has to instantly decide whether or not the user should gain access to the system.  For this “request-response” feature to work, the centralized service must store, in bulk, information about ALL its users’ passwords.  This need makes central password storage an increasingly lucrative target that has become ever easier and cheaper to compromise by unauthorized users.

The only way to eliminate this vulnerability is to prevent access based solely on the validation of centrally stored passwords by migrating from a “request-response” to a “request-challenge-response” paradigm.  In this paradigm, no end-user “secrets” are stored on the enterprise server; rather they are with the user inside that secure element in the smart card. Tyfone’s CSC solution enables this paradigm supporting storage of digital certificates in a secure hardware thereby enabling “two-sided” certificate validation.

tyfone-3

Tyfone’s CSC solution operates much like the traditional plastic smart card systems already in widespread use, but has a much smaller footprint and has the unique ability to operate with any mobile device, tablet or PC.  By leveraging the use of Smart Card Chip standards, Tyfone’s CSC hardware works with all existing software, smart card applets, password schemes and digital certificates, making it the first truly interoperable framework that can secure all devices a user may have, their identities and their transactions, and controlling access to ID information in a unique combination of distributed and local (on device) storage.  This unprecedented approach allows for seamless integration with organizations’ existing smart card-driven security solutions, maximizing investments already made in security infrastructure.  Tyfone’s CSC solution ensures that employees, consumers and other end-users can securely access authorized servers for their email, pay online and even enter buildings without any of the vulnerabilities that come with today’s centralized storing of passwords or biometric IDs.

tyfone-4

Why is request-challenge-response better than request-response?

Unlike the request-response security paradigm where all of our secrets are stored in the cloud, the request-challenge-response paradigm is when the secret for remote access is with the user. So each user carries his or her secret and no more central location available for bulk hacking. This secret is called a digital certificate that includes a public key known to everyone and a private key that is stored securely in a secure physical hardware and never disclosed. Public key is used to lock information which only the corresponding private key can unlock. This certificate mechanism that is already used by the enterprise server to identify itself is now extended to the user, making both the user and the server that can trust each other without the involvement of any third party. This method is already used in plastic smart cards in various industries – CAC/PIV in government, PKCS for enterprises, NSS in browsers (e.g., Firefox) and EMV in Payments.

What is a better alternative to One Time Passwords (OTP) or Passwords?

Instead of request-response based OTP or Passwords a better alternative is to use user-side digital certificates that can enable Request-Challenge-Response. By using client-side digital certificates in conjunction with the already available server-side digital certificates, a “two-sided” trust can be enabled; this will not only prevents bulk loss of IDs, it also enables a solution that is independent of third party compromises since the private keys are never disclosed to anyone including the issuer.

Are passwords becoming null and void?

Passwords, as we know them today and how they are used to gain access to Servers in the cloud are dead.  This is due to passwords in today’s world being stored in the cloud right along with the Server and its data that are being accessed.  Passwords (or biometrics) may still play a minor role in the “new world” of verification and access, but ONLY when they are stored locally in hardware with the user and ONLY to unlock and device, app or CSC, and not to verify with a cloud based Server. 

What happens if my secure ID is removed from the device?

Same actions would be taken by a user, just as if the CSC was lost, stolen or damaged.  If CSC is removed from the device, a thief would still need a PIN, password or biometric to “unlock” access to the CSC.  CSC’s use of smart card chip technology prevents unauthorized “unlocking,” especially through brute force guessing, as smart card chip technology is designed to permanently inactivate itself after a predetermined number of unauthorized attempts.

What happens if the mobile device with the “Secure ID” is damaged, such as the device is dropped and the screen shatters, it gets wet and so on?

One of the benefits of CSC is that if the hardware is lost, stolen or damaged, the user will quickly realize the problem, unlike passwords in the cloud that may be stolen WITHOUT the knowledge of the user.  When such an event occurs, just like a lost plastic credit card today, a user can take action to deactivate and obtain a replacement.

Does carrying around all of your passwords/account/unique identifiers on your own device increase your vulnerability in any way?

No, carrying your identities locally is orders of magnitude safer where today your identities are stored in centralized databases in the cloud with multiple providers that are accessible by remote cyber criminals where you may NEVER know your ID has been compromised!

Why is secure ID important? / What makes secure ID more important today than it was before?

Cyber security is a critical and growing concern for government and businesses as access to sensitive information and financial transactions are increasingly done via mobile devices and websites, which utilize password protection.  Think of this dilemma as the Moore’s Law of Hacking:  as power of computing increases and cost decreases, passwords must grow in length and complexity to stay ahead of the cyber criminals quickly improving capabilities.  Just in the last 18 months, we have crossed the point of no return where these realities should make the use of passwords and “one-sided” verification methods obsolete.  Of particular concern is the security of these passwords, increasingly stored in the cloud, making centralized ID databases tempting and vulnerable targets for hackers. Storing IDs in a software database on the phone can’t solve this problem, as the server still needs to store the same information for “one-sided” verification.

In addition, some solutions attempt to store IDs locally on the device, but in unsecured memory.  Think of it this way: storing software-based IDs in the cloud is like storing your car keys with a parking lot attendant who’s subject to the theft of many drivers’ keys at once, and storing software-based IDs on an electronic device is like hiding your keys under the doormat, an obvious location for many burglars.  In all, software-only security is too weak to mitigate hacking and the hi-jacking of digital identities.  It is only through the implementation of software with hardware-based solutions, such as Tyfone’s CSC, that the most critical threat models are sufficiently addressed.

Aren’t there many secure ID solutions out there?  Why is the CSC solution better?

Until Tyfone’s CSC, there were no solutions in the mobile space that incorporated both software with hardware to enable “two-sided” verification.  Remember the Moore’s Law of Hacking: any ID solution that incorporates only “one-sided” verification will be continuously running to stay ahead of the advancing computational power employed by cyber criminals.  The use of smart card technology, as in Tyfone’s CSC hardware security framework, allows for a non-proprietary solution while leveraging the billions of dollars already invested in plastic smart card based solutions that deployed worldwide today.  “One-Sided” verification in today’s world for remote access into Servers is a security risk that is recognized in ALL industries.  At present, entities have industry groups that tend to attempt to address the SAME issues on an industry specific basis.  Users that interact with multiple industries should not be faced with multiple methods for secure access.   Tyfone’s CSC solution and framework will be a foundational technology, like Wi-Fi or Bluetooth, enabling similar security and authentication methods and processes across ALL industries and ALL devices (e.g., smart phones, tablets and PCs) that are increasingly adopted and utilized in everyday lives, and not bound by the control of device manufacturers, OS providers or mobile network operators.

Technically, how does CSC work?

Tyfone’s incorporation of globally recognized Smart Card Chip technology solves the inherent risks of current “one-sided” password (or software token) verification that uses “request-response” methods that necessitate storing User IDs centrally (the Server may be validated, but the User is not).  In today’s environment, central storage of IDs creates massive repositories for cyber criminals to target.  Tyfone’s CSC enables full “two-sided” verification or “request-challenge-response” that results in both end-points, Server and User, to be validated without storing User ID centrally.  It is only through the addition of a “challenge” that the party at each end-point can verify the other party.  This “two-sided” verification also enables the creation of a unique encrypted connection that is not subject to the security interdependencies of multiple entities in the cloud, such as: Mobile Network Operators, Transport Entities, Domain Name Registrants or 3rd Party Certificate Authorities.  Tyfone’s CSC solutions bring local storage of IDs to Users; with the highest methods of security, in a manner that is convenient for Users.  While the methods deployed are complex, their use is simple.

A common misconception is that biometrics (fingerprint or iris scan) will “solve” the ID dilemma.  In their simplest form, without a “challenge” security method, a biometric is only a substitute for a “password” that a user does not have to remember and retains only “One-sided” verification that may necessitate centralized storage of those highly individualized, sensitive and unchangeable IDs centrally in the cloud.  Just imagine what would happen if your fingerprints or iris scans were stolen by hackers?

CSC sounds similar to how the new iPhone 5S uses fingerprints.  How is it different/better?

Instead of passwords, biometric markers like fingerprints are promoted as a solution.  While biometrics may eliminate the need to remember passwords, their use creates a host of new privacy issues.  Storing biometrics risks fingerprints or other unchangeable biometrics such as iris scans, or their digital representations, become misappropriated for improper purposes.  Based on the limited biometrics a person has, it is not practical to use different fingerprint sets, as an example, for different services.  Should one centrally stored service become compromised, your fingerprint cannot be used anywhere else.  Unlike a digital certificate, a biometric cannot be changed, so biometrics cannot be an exclusive solution to the remote authentication problem.

Tyfone’s CSC does not introduce privacy issues and can be easily changed if lost. Tyfone CSC also allows local validation for gaining access to remote assets. The iPhone 5S fingerprint reader is simply a stronger version of the previously used 4 digit PIN.

Who needs Tyfone’s CSC solution?

Ultimately, all users (both enterprise and consumer) of devices that are either mobile and/or connect to the cloud, or who must communicate securely for physical world transactions, will require the hardware-based security that Tyfone’s Connected Smart Card enables.  It is expected that adoption of these solutions will commence at the governmental level, moving next to enterprise and access to critical infrastructure (SCADA, system control and data acquisition) before eventually becoming available to consumers for securing a wide range of services, from online interactions to contactless payments.  Overall, Tyfone’s Connected Smart Card-based security framework will be necessary for all issuers and users of digital identities and independently secure connections to address emerging issues around cybercrime, privacy and financial transactions.

How will the people who need it get the CSC solution? / Who will buy the CSC solution?

Initially, ID Issuers, such as government and corporations, will acquire the “Connected Smart Card” technology for issuance to their ID community.  As deployment scales and as costs are driven lower, the cost for consumers to adopt will be immaterial in relationship to their other technology purchases.

Is cybercrime really the only “security” related issues consumers are concerned about as their transactions become increasingly digital and mobile?

While CSC mitigates “cyber-crime,” the issues are not just about “crime” in the legal sense, but the more broad enforcement of “authorized access” only by “authorized users,” whereby access policies can be enforced, such as between two employees within the same organization. Apart from securing online cyber transactions CSC also helps protect offline transactions at places like the Point-of-Sale and infrastructure access readers.

Can I use CSC with my existing smartphone, tablet or PC?  How?

Due to the multitude of form factors produced and envisioned by Tyfone for CSC, users will have access to CSC through the selection of form factors that can be inserted into devices, such as: a microSD Card, USB plug or iPhone plug or external devices that communicate with devices via NFC or Bluetooth, such as a key fob, wristband or other wearable form factors.

What companies / entities are currently customers of the CSC solution?

Tyfone’s CSC solution is currently in pilot developments with strategic customers with general deployments to begin in the fourth quarter of 2013 and first quarter of 2014.  Organizations interested in becoming leaders in the evolution of CSC by joining pilots or integrating Tyfone’s CSC solution with their own security products can contact Tyfone at This email address is being protected from spambots. You need JavaScript enabled to view it..

How much will the CSC solution cost?

There will be different licensing agreements and cost models for enterprises and consumers.  More information will follow on pricing with general availability, however, Tyfone believes life cycle pricing will ultimately be less than existing plastic smart card systems in use with non-mobile systems today.

 

Original author: admin