PassWindow is a new authentication system that claims “unsurpassed security”.  Such claims are made frequently but are rarely substantiated in hindsight, so we found the temptation to investigate too great to resist.

PassWindow is potentially an effective and user-friendly component in a two-factor authentication system since the human brain is already well-trained to use this system: we look at numbers all the time, and our brains are trained to find numbers even when surrounded by visual noise.  PassWindow is not an “electronic black-box” giving users a false sense of security; in fact, PassWindow uses no electronic components so it is electrically isolated from the computing/communication device.  PassWindow does a particularly good job of defending against the kinds of threats that typically defeat traditional authentication regimes.  PassWindow is conceptually simple yet by using secret key patterns that are impractical to describe verbally, PassWindow provides some protection against social engineering attacks.  The very simplicity of PassWindow provides further protection against social engineering attacks by making it somewhat more difficult to persuade an end-user that the authentication system has malfunctioned.

We are somewhat suspicious about the device's overall security benefits in the modern threat environment: this device applies the principle of a one-time pad, but the secret pattern is used multiple times.  The secret authentication patterns are static low-resolution high-contrast flat 2D graphics in a highly restricted configuration containing very small amounts of information that must be exposed to view during the authentication process.  PassWindow's website emphasises that over-the-shoulder attacks are partially neutralised by parallax effects, however, their system is still vulnerable to photographic surveillance attacks since an image of the secret authentication pattern alone is sufficient to attack their system—for this reason, social engineering attacks may still succeed if end-users may only be persuaded to send a photocopy or scan of their PassWindow card to an attacker, and a PassWindow based system might be compromised on a large scale if even an unsophisticated attacker can infiltrate the key distribution process for static-pattern key cards.  PassWindow attempts to frustrate photographic attack by tinting the secret pattern or making it partially reflective, which is unlikely to help much since high resolution cameras may still exfiltrate the low-resolution secret pattern when silhouetted against an appropriate back-light such the sky or a light patch on the user's computer screen.  Near the bottom of the third page of their website, PassWindow's developers admit:

“However, a user is always vulnerable to physical attack or surreptitious video surveillance…”

Eventually, suppliers of PassWindow key cards and printing equipment may provide methods of mitigating photographic threats; e.g. with inks that can only be read from certain directions, or codes that can only be read against a light polarisation present in the challenge or with polarised eye-wear worn by the end-user, or by encapsulating the key inside a telescopic eyepiece.  It is unlikely that photographic threats will ever be completely defeated without compromising the simplicity of the system through integration with electronics and an LCD screen (which would retain the fundamental strengths of PassWindow against the simplest social engineering attacks), since a single successful exfiltration of a static secret key is sufficient to open a substantial window of opportunity to a potential attacker.  These limitations are not necessarily unique to PassWindow, but may be fundamental to any technology that shares PassWindow's intrinsic simplicity, since any two-way authentication technology must communicate with the end-user's senses of vision, hearing etc.

During each authentication operation, PassWindow makes sparse use of key/ challenge information, obfuscating the secret key by interleaving the real challenge with random position & sequence-based noise, and by randomly selecting the parts of the key that must be communicated.  This strategy substantially extends the life of PassWindow keys beyond the expected life of a one-time-pad.  Credible statistics quoted by PassWindow's developers and corroborated by at least one source in the broader security community indicate that a PassWindow key can perform between 20 and >10,000 one-way authentications, or a smaller number of mutual authentications; before being retired and replaced by the PassWindow server which continually monitors the possibility of statistical attack on each individual key that has been issued.  The size, sparseness & strength of each key and challenge may be configured by the system's operators and challenge strength may be varied dynamically even for a fixed key size; however, there is an inevitable compromise between challenge/ key strength and user-friendliness/ insult-rate.  PassWindow's developers are researching upgrades that may enhance the statistical strength of PassWindow in the future without seriously compromising its ergonomics.

Conclusions: practical advice for security engineers

This simple device offers a useful mechanism for authenticating high-value transactions or for authenticating users attempts to log in to a high-value system.  PassWindow should always be used in conjunction with other authentication mechanisms in a two-factor or three-factor configuration, where the PassWindow system may provide complementary strengths to your existing security regime.  If you choose PassWindow as a component in your security regime, specify a strong enough configuration for your application, its threat environment and attack economics.  Consider the likely frequency, economy and practicality of key replacement, and evaluate the comparative costs and benefits in terms of the convenience of the authentication process and any additional training and incentivisation necessary to persuade your end-users to protect their keys.  PassWindow is relatively simple in its training requirements, as its only rule of security is to avoid visual surveillance.  Usability testing by learning-disabled people has yielded encouraging results, and the system has been successfully deployed in regions with high rates of illiteracy.

Be cautious about using static-pattern PassWindow keys in public or potentially compromised spaces where hostile visual surveillance may reduce the advantages of using PassWindow.  In order to ensure that PassWindow represents an improvement on the existing security regime, avoid using PassWindow on a computer with a camera attached potentially enabling a remote attacker to more easily exfiltrate a useful image of the end-user's secret pattern.  Nowadays, many laptops come with webcams installed in their chassis that may not be electrically disconnected: such cameras might be covertly switched on by a remote “man-in-the-middle” attacker: end-users must be taught how to physically disconnect or temporarily disable such cameras (e.g. by covering the lens with a post-it note when not in use).

For those wishing to deploy PassWindow, there are currently two main options:

1. $7.00–$9.00 USD per user per year—sign up for the ShieldPass service for rapid integration with your existing website.
2. negotiable—per user per year—install PassWindow's server software, which gives you the option to manage key distribution yourself.

With thanks to Matthew Walker and his team at PassWindow, who consulted with us on the technical aspects of their system.  We plan to purchase ShieldPass service soon.