For some organizations, password security is enough, despite the well-known deficiencies in using passwords. Others companies, however, are bound by corporate or regulatory requirements to employ security standards such as PCI DSS that require the more secure two-factor authentication method. Nick Owen, co-founder of WiKID Systems, says two-factor authentication has historically been too expensive and too much of a hassle. “We’ve set out to change that with WiKID,” he says.
WiKID Strong Authentication System comprises both a secure server and a client application. The company’s web site describes how it works (the next paragraph would be indented if the blockquote tag were working on this blog):
A user selects the WiKID domain they wish to use on their token client. The user is prompted for the PIN for that domain. It is encrypted with the WiKID Server’s public key – assuring that only that server can decrypt it with its private key – and sent to the WiKID server. If the server can decrypt the PIN and it is correct and the account is active, it generates the one-time passcode (OTP) and encrypts it with the client’s public key. The user then enters their username and the OTP into whatever service they are using, a VPN, web site, etc., which forwards it to the WiKID Server for validation using Radius, TACACS+, LDAP or through our wAuth API for custom applications.
WiKID comes in both an open source Community and a commercial Enterprise version. “We have two versions primarily because we use some third-party software that we cannot release as open source,” Owen says. “We do have a home user license for people who want to use the Enterprise version at home.”
Both versions differ from token-based two-factor authentication systems in that they use public key encryption and not shared secrets. Public key encryption, Owen says, allows more functionality, such as multiple servers per token and multiple tokens per users.
Owen says most of WiKID is written in Java to take advantage of that language’s cross-platform capability. “We use SVN and Hudson for our build system. Our primary Linux platform is Red Hat-based, but we intend to have our future releases be more independent.”
Most of the work on WiKID is done in-house, though Owen recognizes the benefits of community contributions. “We’ve struggled with this. We have tried to recruit programmers, specifically to develop plugins for open source applications, like a WiKID plugin for Joomla (we do have a nascent one for Plone). But as a security project, we need to keep a close eye on the code, so that has made it difficult.”
Right now Owen says the company is focusing on a 4.x release, “which will be a pretty big rewrite. It will give us more platform independence, some architecture changes, and a big UI rewrite. We will continue to tweak and update the 3.x versions.”
And what about that company name? Are potential users ever confused that the software might have something to do with wikis? “Ha, yes,” Owen says. “But once they get to our site, they get confused and try elsewhere :).”