Arcot Systems Inc. has an answer for people who advocate smart cards but bemoan the lack of a card-reading infrastructure: Go cardless.
The Palo Alto, Calif., company, in business since September 1997, officially launched its first product, WebFort, in late May. Arcot claims it is safer than available user-authentication alternatives and gets around the hassle of trying to distribute smart cards with digital certificates in their chip memories.
Arcot has come up with a technique described as camouflaging, said to make it impossible for system intruders to spoof valid user credentials.
President and chief executive officer B.N. "Nat" Kausik said the camouflage conceals within a collection of spurious digital credentials one valid certificate that only an authorized person would be able to locate.
"An intruder who tries to get it will set off an alarm," Mr. Kausik said in an interview.
WebFort goes against a couple of grains in the data security industry. Public key infrastructure, or PKI, systems are getting much attention as corporations move business activities onto the Internet, but Arcot contends current authentication software is too open to compromise.
Smart cards, a convenient hardware alternative for storing encryption keys, are widely viewed as raising the security bar, but Arcot does not see that happening too soon.
Arcot proposes a "software solution," and it is critical of those of other vendors.
Cybersafe Corp. of Issaquah, Wash., has one of them, the Virtual Smart Card. It contends that the product allows for economical and easy introduction of smart-card-like hardware assurances and a migration path to physical cards as the infrastructure gets deployed. Software tokens are also supported by such hardware security vendors as Activcard of Fremont, Calif. (see above on this page), Cryptocard of Toronto, and Spyrus of Santa Clara, Calif.
Arcot dismisses most of these as "vulnerable to attack" by hackers with fast computers that can crack password and personal-identification-number combinations.
Cryptocard software tokens generate one-time passwords with each user logon. The company offers a range of product options because "authentication in the age of the Internet must accommodate a wide array of environments, user needs, and security concerns," vice president Stephen D. Seal said last month when Cryptocard began shipping the Java-certified ST-1 software token.
"We have a unique technology for providing the security of hardware solutions in software," said Steven Levine, Arcot's vice president of marketing. He said the upshot of certificate-issuing complications and the lack of chip readers on personal computers and other devices has been "a bottleneck to strong authentication on smart cards. We believe we open it up."
Privately held Arcot, which has venture capital backing and some pending patents, has won accolades from luminaries in the information security field.
It has a board of advisers that includes Taher Elgamal of Kroll-O'Gara Co. and formerly Netscape Communications Corp., Bruce Schneier, president of Counterpane Systems and author of "Applied Cryptography," and Scott Loftesness, the former Visa and First Data Corp. executive who heads Digicash Inc.
Stanford University Professor Emeritus Martin Hellman, co-inventor of public key cryptography and another Arcot adviser, said the company has "a really different and very clever approach to protecting digital certificate credentials. Instead of building a high wall to keep intruders out, Arcot sets camouflaged traps to snare those trying to break in."
Included in Arcot's WebFort press release was a testimonial from Stratton Sclavos, president and CEO of Verisign Inc., pointing out that Arcot products are complementary with his and presumably others' digital certificate offerings.
Arcot's first announced customer was St. Joseph's Hospital in Marshfield, Wis. It is using WebFort for secure access by doctors to patient information via an extranet. WebFort was combined with a data base system from IDX Systems Corp., whose product manager, Bill Clark, said WebFort delivered on the elusive promise of "strong authentication that is easy to use."
Mr. Kausik said the health care market should be a big one for user authentication, because government regulations for on-line record access call for a certification system that is more secure than basic personal identification numbers.
Arcot's first major inroad into financial services is through Tibco Software, a Reuters Group company, which said it will use Arcot in its enterprise application integration system.
It is "first-rate security at considerable cost savings over hardware- based authentication," said Tom Jasek, Tibco's senior vice president of business development.
Mr. Kausik said more financial and payment industry customers are in the pipeline.
He said his business plan acknowledges that there could eventually be "tokens that work." WebFort is "a solution for now, but it can go on any hardware medium, chip card, or even a magnetic stripe card."
He suggested that too much of a focus on smart cards and their infrastructure deficiencies diverts attention from what is possible with software. "People looking to smart cards for delivering a broad range of financial services on the Internet may want to look at (WebFort) as a cheaper alternative that is available today," Mr. Kausik said.