Today we announced a new pricing program for home users: pay what you want. This variable payment plan for home users is based on the recent bands that have tested this system (Radiohead and NIN). But the trigger was also the free for home use offer for SSL-Explorer>. I have, of course, seen a lot of free for home use enterprise software and we may yet go there. But I also believe that this should be an interesting experiment.

My feeling is that the market for Enterprise-class two-factor authentication for the home is pretty small. Remember that the only current difference between the open source Community version and the Enterprise is the wireless token clients for J2ME, Blackberry and SmartPhone/Windows Mobile and support for radius. Yet, I still think this is worth the effort (which is pretty minimal :).

• Anyone that wants two-factor authentication for their home is a super-geek and is proablaby an influencer of such decisions at work.
• Anyone who is such a geek appreciates price discrimination as a strategy.
• Anyone who chooses the Enterprise version for home use must really appreciate the differences between the Community and Enterprise version and is therefore getting value.
• Supporting such uber-users should be fairly easy - and it should make our support systems all the better.

The base price is $10/year. To pay more, please just add more $10 items to the cart. Payment is via Google.

I don't have a prediction for sales. I have extremely low-expecations on volume, but higher expectations on affect.

And no, this isn't an April Fool's joke :). For that you can go here.

One can hope: An eternal optimist asks Enterprise Vendors to pave the way for two-factor authentication.

Gotta love open source. To paraphrase, if the project you are looking for doesn't exist, just wait (or start it yourself). I've been wanting to do a proof-of-concept on adding two-factor authentication to Google Apps for you Domain for a long time. And while we will probably put this functionality into the WiKID server down the road, I wanted something right now :).

Today, we released a WiKID plugin for the GHeimdall (silent G) project. GHeimdall is a TurboGears project for Google Apps SSO service that allows you to use your own authentication service to log into Google Apps for your Domain. There are sample plugins that made it quite easy to create a WiKID plugin using our Python code.

Applications in the cloud like Google's Apps face serious security threats from keystroke loggers and potential Man-in-the-middle attacks. While these threats won't stop most personal users, it can be an issue for corporate users or people that care about security. Eventually, the threats might seriously impede market growth. One friend of mine had his Yahoo mail credentials stolen. He had no option but to get a new account (this time on GMail) and he lost all this emails and contact information as it was his only account and he used it for business. What did the attackers gain? A valid account from which they could send spam. And they probably sent spam to all his contacts.

You can upgrade your Google Apps account to the Premier Edition for 30 days. You can also download and test the WiKID two-factor authentication server for 30 days or use the open source community edition.

The WiKID-GHeimdall plugin is pretty basic and it works, but should be considered "experimental". There is a how-to in the package. Thanks to Takashi Matsuo for his help and for developing GHeimdall.

We realized that our current two-factor software token requires Java 1.6, which is not yet available on OS X. I've added links on the token download page to the last token client which supports Java 1.5 in a plain jar and as an installer jar. Apologies to any Mac users that had trouble with the token.

For some reason, I really enjoyed this impromptu review of image-based "multi-factor authentication". These image-based site authentication tools are sadly mislabeled as two-factor authentication, which is a personal cocktail party tragedy for me:

Party go-er: You do what? What is two-factor authentication?

Me: Well, you use it all the time at the ATM where you need both possession of the card and knowledge of the PIN to get your cash. Ours is like that, only you need possession of the secret key in our software and knowledge of the PIN to get a one-time passcode that you then use to get access to a corporate VPN or a website.

Party Go-er: Oh, my bank is using two-factor authentication. The second factor is a picture of a cat they have to show me.

Me:Yeahhh, that's not really two-factor. They are trying to prevent a man-in-the-middle attack by trying to identify the site to you in way that is simple. Unfortunately, there is still nothing that prevents and man-in-the-middle from replaying that picture to you because there is no cryptograpy involved. We have a process that combines one-time passcodes and a cryptographically secure mutual https authentication mechanism to prevent network-based man-in-the-middle attacks...

Pary Goner Oh, are they bringing our more pigs-in-a-blanket. I have to get more of those...

It has been brought to our attention by the team at ush.it that the sample.php page in our PHP Network Client has code that could have been exploited via an XSS attack. The sample page is not part of the network client itself, it is just provided as an example of how to add two-factor authentication to PHP applications.

We've touched base with the Enterprise users that we know have used WiKID in their PHP applications. So far, no one has used that code. Rather, they have taken their existing authentication pages and added the WiKID code to bring two-factor authentication into the mix.

More information on the code in question can be found here

Updated: Corrected link.

We are having a first ever "corporate" "retreat" at a secret undisclosed location this week (4/14-4/18), so responses may be somewhat slower than you've come to expect. We apologize for any inconvenience.

One of our customers is attempting to go 100% open source, which factored heavily in their choice of WiKID for two-factor authentication. They liked our "appliance in an ISO" model, but were not so fond of our use of Java :)