Kaay eKaay
Main | Demo     German

eKaay - Security

Claim. The security claim of eKaay is that the password can no longer be tapped by PC malware. This goal is reached, for the simple reason that there is no password anymore which is typed in.

Discussion. Unfortunately, smartphone thieves and smartphone trojans come up as new attacks, see below.

Relativation. Nevertheless, theses two dangers have to be relativized because a smartphone user - having open apps and open browser sites on the smartphone - is under potential attack by smartphone thieves and smartphone trojans anyway.

Criterion. This gives the following criterion whether eKaay is secure enough for a portal or not: If the portal leaves an open app or open browser page for the user on his smartphone after one successful password login on the smartphone, then eKaay is secure enough. Otherwise eKaay is not secure enough, and the portal should consider eKaay PIN.

Detailed Comparison

In the following the password method and the eKaay method are compared with respect to the possible attacks. To the right you see moreover the evaluation of the eKaay PIN and the eKaay NFC method.

eKaay more secure than password: Password Method eKaay Key Method eKaay light Method eKaay PIN Method eKaay NFC Method

Identity theft by PC trojans. eKaay was designed to prevent trojans sitting on the browser PC to tap the password when it is entered by the user. This identity theft is prevented by eKaay because no fixed password is involved in the login procedure.

rot gruen gruen gruen gruen

Identity theft by ''Shoulder Surfing''. eKaay prevents identity theft by humans or cameras which are watching the password authentication.

rot gruen gelb gelb gruen

Identity theft by ''Network Sniffing''. eKaay prevents identity theft by viruses within the Internet. This is usually already prevented by https sessions for the password authentication.

gelb gruen gruen gruen gruen

Identity theft by ''Dictionary Attack''. eKaay prevents identity theft via automated trial of many different passwords.

rot gruen gelb gruen gruen

Identity theft by ''Social Engineering''. The password method allows various frauds in which the user tells the fraudster the password. This is not possible with ekaay beacuse the secret key cannot be communicated - it is never shown to the user.

rot gruen gelb gruen gruen

Server data leak. With ekaay the user passwords stored at the portal server can be made secure against data leaks on the portal server caused by intruders or illoyal or careless employees. This sounds surprising but works the following way. The user which has activated ekaay should choose a long and difficult passwaord - say a 15 letter random password. This is no problem for the user because with ekaay he does no longer need to memorize or type the password. The de-hashing of the password is now impossible for the data thief! Moreover, the eKaay key stored on the server is neither of use for the thief because it is only the public key (the private key is stored on the smartphone).

rot gruen gelb gruen gruen
eKaay less secure than password: Password Method eKaay Key Method eKaay light Method eKaay PIN Method eKaay NFC Method

Identity theft by smartphone theft. Anyone stealing the smartphone containing the ekaay app can log into the activated accounts. This danger is lessened by the smartphoen PIN which is usually asked for after some minutes of inactivity. A similar protection is the eKaay app PIN. Moreover, the smartphone theft danger has to be relativized. eKaay is only recommended for portals for which the user would not protect a smartphone app or asmartphone browser login by a password (if he would protect it, the eKaay PIN method is recommended). This way, a smartphone thief would be able to enter the account anyway! (without eKaay)

gruen gelb gelb gelb gruen

Identity theft by smartphone trojans. The private ekaay key for the portal is stored on the smartphone. This means that is may be stolen by a smartphon trojan. This is not prevented by the technique which encrypts the private keys - because the encryption/decrytion key is stored in the App program code and could possibly be re-engineered by the trojan. Nevertheless, the keys are quite save because other apps will not be able to read the data of the ekaay app.

gruen gelb gelb gelb gruen

Identity theft by attacking cloud back-ups of the eKaay app. Probably soon ''cloud'' back-ups of apps will be possible for iPhones and Android smartphones. In that case the back-up of the eKaay is a potential victim of intruders hacking the cloud computer.

gruen gelb gruen gelb gruen
Attacks on both ekaay and password: Password Method eKaay Key Method eKaay light Method eKaay PIN Method eKaay NFC Method

Session theft by PC trojans. The browser receives during an ekaay login a onetime short term password. This can be stolen by a trojan on the PC and be abused for login of the trojan (or his master). This means, eKaay prevents from identity theft by trojans but from session theft by trojans.

rot rot rot rot rot

Session watching by PC trojans. During a login session every information the portal server sends to the browser and everything the user enters can be watched by a PC trojan. No way to prevent this with a method like password or eKaay.

rot rot rot rot rot

Spoofing server. A deceptive server A could make URL and webpage appear like a well-known webpage B. A could pick up a 2D-code from A and show it on his login page. If a user of B is now for some reason directed to A he may try to log into server B via ekaay. The deceptive server A could steal the session the moment the session opens on the screen. This attack is not of relevance because the deceptive server better could steal username/password of the user via the same fake login page - this way it would not only have a session but the identity of the user for server B.

rot gelb rot gelb gelb

Bait Server. A deceptive server A could try to attract many users (''Free lottery - 1000 Euro'') and convince the users to regularly log into the portal. But once for a while the server picks an eKaay 2D code from some other portal B and shows this 2D code on his login page. The user of the deceptive server scanning the 2D code may also have an account at portal B. This way, the deceptive server may steal this session of the user at portal B. This attack is a danger. Nevertheless it can be avoided with techniques like ''Ask before Login'' (already implemented) and ''what-you-see-is-where-you-log-in'' (future). A similar attack of a bait server which builds on the fact that many users choose the same username/passwort combination at different servers is possible for the password method. And this is much more dangerous because this way the deceptive server not only steals a session but the whole identity.

gelb gelb gelb gelb gelb

DoS Attack. eKaay is no protection against Denial-of-Service attacks.

rot rot rot rot rot

Certification. There is no certification of eKaay yet.

Software Backdoor check. Programmers of eKaay software could have build backdoors into the software. The SDK is open source and not too large, so it can be checked for backboors by the customer. The mobile software, i.e. the apps, is not open source - customers have to trust that it is backdoor-free. We confirm that no backdoors are built into the server software nor into the apps, especially no usage log files are sent.

About eKaayeKaay VariantsSecurityLicenseImplementationContact
About us
History Smart Login
eKaay original
eKaay PIN
eKaay NFC
eKaay light
eKaay PIN light
eKaay Sign
Security comparisonLicense
Price List