Reducing Fraud from Shared Passwords

Passwords and cookies are widely used to enforce web-based, pay-for-service businesses. Whether the customer is paying $10,000 to subscribe to high-value research or downloading music at $9.99 a month, the subscriber receives a password or cookie that indicates that the subscriber has paid for the service.

Unfortunately passwords are easily shared. So, one individual pays for the service and shares the password with his friends or co-workers. In this manner, many people can use the service even though only one paid for it. This represents a significant loss of revenue for the service provider. Sharing passwords is most prevalent in low-value consumer services; yet the largest loss of revenue is in the high-value research services (consultancies, professional services, and research companies).

Cookies are somewhat more difficult to share. However, there are widely available tools for examining cookies, exporting them, and importing them to other machines. Cookies, too, can be shared; thereby enabling shared pay-for-service accounts.

The WSA does not use passwords or cookies to authenticate subscribers. Rather, the WSA identifies a subscriber through the subscriber's digital certificate. A certificate is usually stored with the browser on the computer's hard drive. In general, certificates can be exported from one computer and imported to another, but it is not for the faint of heart. However, certificates that are created by the WSA are installed on the computer in such a manner that makes copying practically impossible.

Therefore, using a WSA to generate the certificates and authenticate subscribers of a pay-for-service makes it virtually impossible to share accounts. In order to share accounts the users must physically share the computer.