In today’s fast-paced, time-crunched world, people everywhere have come to accept online shopping, banking, and communication as part of their daily lives. Convenience is king – today’s consumers access accounts, pay bills, download e-statements and transfer cash online from the comfort of their homes. This growing trend has caused a parallel trend in online fraud. Rarely a day goes by without identity theft appearing in the news! What is surprising is that most people are still using weak authentication methods in the form of username and password, to gain access to their accounts and conduct their online transactions. With the increase in phishing email and spyware designed by hackers to capture user passwords, online providers have had to step up and provide stronger forms of authentication to assure that a legitimate account holder is the only person gaining access to his/her account. The problem: How on earth do these financial institutions provide identity assurance for millions of customers while continuing to provide a simple and convenient user experience?

Lending voice to this concern, 14-months back the FFIEC (bank regulatory agency) issued a report, “Authentication in an Internet Banking Environment,” mandating that banks adopt multi-factor authentication measures to secure online access to account information and transaction functionality. Although the agency didn’t spell out the exact method of implementation, it was understood that some form of authentication beyond username and password had to be implemented by the end of 2006. Other US government agencies such as the SEC are also considering similar regulations.
With all that has happened over the past year, multi-factor authentication is becoming the industry “best practice”. A slew of companies are already providing strong authentication methods in hardware through one-time-password (OTP) tokens (the user must carry a hardware token that generates a random number as a second password needed to log in), biometric solutions and smart cards. However 9-year-old, Sunnyvale based Arcot Systems has been challenging all these hardware-based online authentication technologies with its one-of-a-kind software-based PKI authentication system. By providing PKI-based strong authentication completely in software, Arcot gives banks and their customers the best of both worlds: identity assurance that is convenient and cost-effective. Arcot created a “software smart card” called the ArcotID that provides strong authentication and can also be used in other applications such as eStatement delivery and digital signing of electronic documents. “The beauty of the ArcotID is that it is “Smart without the Card”. It can be used in place of a smart card and is a single solution that fits many requirements,” says Ram Varadarajan, President and CEO.

In a nutshell, Arcot has a software version of the smart card/ OTP token that is not tangible in nature. However, its software smart card is stored on your computer in the form a small file. “In lieu of the smart card that goes into a card reader or an OTP token that generates new passwords, we have created an encrypted file that is stored on your PC desktop,” heralds Varadarajan.

Varadarajan is not bragging; Arcot’s new software smart card has the potential to change the world. But you might ask, how can a ‘file’ be secure? True, when genius programmers can decode any gnarly program in the world, this ‘file’ might sound no different by name. But what is in a name? Arcot has protected this file with its patented technology - cryptographic camouflage—shielding it from the bravest of bravest programmer. And it is on this patented technology that the company was founded in 1997. “The Arcot technology is patented and proven,” says R. ‘Doc’ Vaidhyanathan, Vice President, Product Management, “more significantly, alternate solutions alone are not sustainable for the future needs of the enterprise.” And then lists three key reasons to support his claim.

In short, tokens are really expensive to produce and distribute on a large scale to millions of customers. Second, the human tendency of losing things will apply to such tokens also and so its feasibility takes a hit considering the customers for banks and merchants like e-Bay. Third is simply the number of tokens an individual can carry; given that he/she works for a company, has three bank accounts and a few online merchant portals he/she sells and buys from. However, by using an ArcotID there is none of the three disadvantages—it is cost effective, hard to lose and easy to carry on a single USB memory stick no matter how many “files” one has. Most importantly, Arcot has engaged in this business for so long that it understands what it means to get the performance and response time down to a sub second while managing millions of users with the same strength, functionality and usage like that of a smart card.