PassWindow is a technique of producing one-time passwords and facilitating transaction verification that is used as an online second-factor authentication method.
The system works by encoding digits into a segment matrix similar to the seven-segment matrices used in digital displays. The matrix is then divided into two component patterns that reveal the whole when superimposed.
Half of the pattern is printed on a transparent region of a plastic card, while the other is displayed on an electronic screen such as a computer monitor. These are referred to as the key pattern and challenge pattern, respectively.
Each key pattern is unique, and the challenge pattern can only be decoded by its corresponding printed key.
By varying the challenge pattern displayed on the screen, a series of digits can be communicated to the card holder without being visually revealed on the screen.
PassWindow is typically implemented such that an animated, perpetually looping sequence of challenge patterns is displayed, each encoding a single digit placed in a random location within the matrix.
A valid solution to this challenge then consists of a specified number of consecutively appearing digits.
By printing a PassWindow key pattern on a piece of transparent media, such as a transparent section of a plastic card, a standard plastic ID-1 card can be used as physical token (something you have) that can be used in a two-factor authentication system.
Using the PassWindow system, a challenge pattern containing a string of digits and/or letters can be generated for a specific key pattern by an authentication server with knowledge of the shared secret (the user's key pattern).
The user decodes the sequence of digits from the pattern using their PassWindow key and sends this as a response to the server's challenge. The correct response confirms that the client has physical access to the token.
These digits are then used as a one-time password.
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication.
In the simplest case, the client verifies that the server from which they are receiving their challenge by confirming that the solution is intelligible when they superimpose their key over the challenge. An unintelligible or corrupted challenge alerts the user that they may not be connected to the server they intend.
In addition, a known string of digits may be encoded into the challenge at the time of generation to provide additional server-to-client authentication to prevent the replay of stored challenges. Known as a verification code, examples include destination account numbers or transaction totals when used to secure online monetary transactions. This use is often referred to as transaction verification and forms the primary basis for PassWindow's exceptional resilience to Man-in-the-middle (MITM) and Man-in-the-browser (MITB) attacks.
Matt Walker, Australian, invented the original PassWindow concept after many years researching various online two-factor authentication systems. The high cost of many electronic token systems, as well as their inability to protect against an ever-increasing array of complex attacks, forced Matthew to completely rethink the way modern authentication is conducted.
During the intervening period, while the security world looked for ever more complex and high-tech solutions, which it was apparent were increasingly vulnerable to ever more complex and high tech attacks, Matthew decided to take the opposite approach and look for an authentication solution with pure simplicity at its core.
In the process, he discovered an entirely new secure method in online security.[1]