Q: What do I need to access a web page protected by BrowserKey?
A: The free BrowserKey Client
installed and running,
a Java-enabled Web browser (such as Microsoft Internet Explorer or Netscape
Navigator) and a valid BrowserKey password (provided by the owners of the web page(s) protected by BrowserKey) are the minimum
items required to access any BrowserKey
protected web page.
Q: Why is BrowserKey good for me as a web surfer?
A: Some web-sites that are intended to be
highly secure, such as
online banking interfaces, require only a username and password to gain
access. If your username and password are compromised (hacked, sniffed,
stolen, guessed, etc.), your account can be compromised as well. Sites protected by BrowserKey assure that only you can access
your online resources, and only from the computers you specify.
Depending on how the developer of the BrowserKey
protected web page(s) setup their BrowserKey protected web page(s), you may
never need to enter a username and password again to access certain BrowserKey
protected pages. You save time and can say "goodbye" to
remembering complicated username and passwords when connecting to web pages
protected by BrowserKey and not username/password user authentication.*
*Some pages protected by BrowserKey still require
username/password log-in depending on the developer's implementation of
Q: Is the BrowserKey Client Application really free?
A: Yes, the BrowserKey Client
Application is absolutely free.
Q: Is installation of the BrowserKey Client Application
A: No, you are provided with a simple
setup package that does all of the work for you in a manner you may be familiar
with if you install other software packages on your computer.
Q: Is connecting to a BrowserKey protected web page complicated?
A: Far from it. BrowserKey allows
you to connect to web pages the same way you are used to, using your favorite
Java-enabled web browser such as Microsoft Internet Explorer, or Netscape
Navigator. Depending on how the owner of the BrowserKey protected web
page(s) setup their authentication, you may never need to enter a username and
password again to access certain BrowserKey protected pages!
Q: Will connecting to a BrowserKey protected web page take
longer than connecting to a regular web page?
A: Downloading a BrowserKey protected web
page is no different than downloading a regular web page, the content is
identical (the same download size).
Q: Will the BrowserKey Client Application slow my
A: The BrowserKey Client Application
has a very small memory footprint. You should not notice any difference in
your computers operational speed after installation of the BrowserKey Client
Q: What are the minimum requirements to run the BrowserKey Client Application
and to connect to a web site protected by BrowserKey?
A: The BrowserKey Client Application
is designed to operate in a 32-bit windows environment (such as Windows 95,
Windows 98, Windows NT, Windows 2000, Windows XP, or the MAC OS running a
product such as Virtual PC
for Mac running Windows) on a computer with at least 5 MB of free disk
space, at least 16 MB of memory, a monitor, and a keyboard (a mouse helps, but
is not required). If you are connecting to an Internet web site, an
Internet connection is required. If you are connecting to an Intranet web
site, an Intranet connection is required.
To connect to a web site protected by BrowserKey you
will need to use a Java-capable web browser such as Microsoft Internet Explorer,
or Netscape Navigator.
Don't worry, most PCs already meet the above
Q: Does the BrowserKey Client Application contain any
third-party add-on applications (spy ware, etc.) to facilitate you giving it
away for free?
A: Absolutely not, the BrowserKey Client
Application setup package includes only the files required to get the BrowserKey Client
Application up and running on your computer quickly and easily.
Q: Does the BrowserKey Client Application send any of
my personal information or information about my computer over the network,
Internet, Intranet, etc?
A: The BrowserKey Client
Application does not send out any personal information, it does not even
send your BrowserKey password(s). An ID is calculated by the BrowserKey Client Application
when you connect to a BrowserKey authentication web page. If you
successfully authenticate, this ID is transmitted to the web server along with a
web server application session variable that is also transmitted by your web
browser (this information is usually sent by the BrowserKey Client
Application only once during a browsing session, depending on the web page
developer's implementation of BrowserKey). Said ID may be on record with
the web site owner, allowing the web site owner/developer to determine who is
connecting to a web page at any given time.
Q: How does BrowserKey protect my site?
A: BrowserKey protects a website by enforcing that only specific client machines (a personal computer for instance) can connect to a
BrowserKey Protected Resource. The website developer/owner controls which client machines are allowed to connect by issuing a
BrowserKey Password for only those client machines that are licensed to connect to your
BrowserKey Protected Resource(s). The BrowserKey Password is client machine
and BrowserKey Lock specific. End-users attempting to use a BrowserKey Password on a client machine
other than the client machine for which the BrowserKey Password was
intended will find that the BrowserKey Password will not be accepted. The end-user will not be able to access the
BrowserKey Protected Resource from the unauthorized client machine without
first requesting a BrowserKey Password from the website developer/owner.
In theory, your end-users possessing only a single user license to your BrowserKey Protected Resource
will only be issued one BrowserKey Password by you. Therefore, they will not have the ability to connect from more than one client
machine unless they purchase another license to your BrowserKey Protected Resource
from you. Our customers typically find that they begin selling more licenses to existing customers
after they implement the BrowserKey system.
Q: Does BrowserKey use cumbersome/expensive hardware dongles,
real-time key generation hardware, or biometrics?
A: No. BrowserKey is completely
software-based making it much easier to implement and maintain than other
Q: Is BrowserKey just user authentication technology?
A: No, BrowserKey is much more advanced
and by itself does not
make any attempt to recognize individual users. BrowserKey authenticates based on the
connecting client machine (such as a personal computer). Because a user
is usually initiating the authentication of a client machine, it is easy to
think of this process as user authentication, but it is not.
Q: What if want to use user authentication to protect my
page(s) in addition to
A: User authentication technology (such
as username/password authentication technology) can be used along with and in
addition to BrowserKey, should the developer choose to do so. Many
developers choose to so this, but it is certainly not required. BrowserKey provides strong authentication without the need to manage a
database of usernames and passwords, one of the many advantages BrowserKey has
over most user authentication systems.
Q: What is a BrowserKey Client Key?
A: A BrowserKey Client Key is a
temporary unique identifying "key" that is automatically created and stored in the
BrowserKey Client Key Storage Application after an end-user initiates
a successful client machine log-in into a BrowserKey Protected Resource
(simply via connecting to a BrowserKey Protected Resource via a
Java-enabled PC-based web browser) . If the same user successfully logs into the same BrowserKey
Protected Resource from two discreet browser sessions* or two client machines (two personal computers for
instance), two BrowserKey Client Keys are created, one for each
session or client. A BrowserKey Client Key expires sixty (60) minutes after
it is created.
*different than two browser windows sharing the same web server environment
session variables, where the second window is usually spawned via
additional browser windows utilizing the same user session as the original
Q: What is a BrowserKey Protected Resource?
A: A BrowserKey Protected Resource is defined as
any one of the following depending on your implementation of BrowserKey: 1) all website's hosted on a single
web server commonly protected with the same BrowserKey Lock; 2) a web
site protected with the same BrowserKey Lock; 3) a group of web pages
protected with the same BrowserKey Lock; or, 4) a single web page
protected with a BrowserKey Lock.
Q: What is a BrowserKey Lock?
A: One BrowserKey Lock (in the
form of a dynamic link library (DLL) file) is provided at no additional charge
to the BrowserKey Customer with each licensed copy of BrowserKey
purchased. This file is provided for ultimate automatic transfer to the
BrowserKey end-user's client machine (a personal computer for instance).
Q: What is the BrowserKey Client Key Storage Application?
A: A program that when installed on the
web server computer, stores temporary unique BrowserKey Client Keys,
and responds to queries from the BrowserKey Active-X DLL.
Q: What is the BrowserKey Active-X DLL?
A: A file, in the form of an Active-X dynamic link library (Active-X DLL), that
is leveraged to create an object within an authenticating web page (setup by
the developer (free samples are available)) which serves as a communication
conduit between the BrowserKey Client Key Storage Application and the
developer's script / BrowserKey Protected Resource.
Q: Is there a backup facility in the BrowserKey Client Key Storage Application
to cover data loss?
A: BrowserKey in itself does not rely on permanently storing any client machine data on the server-end, so there is no BrowserKey related data to
Q: If I choose to purchase a BrowserKey license for X maximum concurrent
service users does it mean each user can log on X times or
does it mean that only X people can log on at any one time? In other
words, what do you mean by "maximum number of concurrent service
A: The maximum number of concurrent
service users is
calculated as the maximum number of simultaneous BrowserKey Client Keys that are
allowed to exist in the BrowserKey Client Key Storage Application
at any given time. Only
one BrowserKey Client Key is required per authenticated client per BrowserKey
Protected Resource, provided one does not wish to authenticate a
client more than
once during a client session, which one normally would not have reason to
do. If X BrowserKey Client Keys exist in the BrowserKey
Client Key Storage Application when client number X+1 attempts to
authenticate, the BrowserKey system will not authenticate client number X+1,
even if it is a valid client. A BrowserKey Client Key expires sixty
(60) minutes after it is created, so client number X+1 must wait until the
oldest Client Key expires before it can successfully authenticate.
Because client X+1 can authenticate after the oldest BrowserKey Client Key expires,
it is possible to have more than X clients using a BrowserKey Protected Resource,
however we recommend that you do not put your users in a position where they
need to wait for other client's BrowserKey Client Keys to expire,
otherwise they may become impatient. We recommend giving yourself plenty
of breathing room by purchasing a license that will cover the demands set by
your users during the periods of your highest traffic.
Q: Your licensing states that BrowserKey Client Keys
expire after sixty (60) minutes, is this after sixty (60) minutes of
inactivity, or is the client/user forced out after 60 minutes?
A: Neither. A
BrowserKey Client Key expires sixty (60) minutes after
it is created, regardless of the client/user's
activities and are independent of session timeouts created in the web
server environment. Most developers choose to authenticate using BrowserKey
only once per session -- at the beginning of the session. If the client
passes BrowserKey authentication, the developer can set a session variable
within the web server environment to track the status of the client as
authenticated. Session timeout settings in the web server environment can
then be adjusted to control the length of time the client's status is allowed to
continue as authenticated during periods of inactivity. If upon checking
said session variable (usually the first step performed before rendering any
secure page) it is found that the client does not have authenticated status
(the default state), the developer will usually redirect the client browser to an access
denied page or a (re-)authentication page.
Keep in mind that BrowserKey is
as flexible as the developer's imagination, and that this example only
represents one of the infinite number of BrowserKey configuration possibilities.
Q: If I start by purchasing a license for X maximum concurrent
service users can I increase the number of maximum concurrent service
A: Yes. Upgrading is as simple
as shutting down the BrowserKey Client Key Storage Application service on the
web server, manually starting the BrowserKey Client Key Storage
selecting the "License Management" button, entering an
updated password provided in response to an upgrade purchase, and
restarting the BrowserKey Client Key Storage Application service.
Q: What platform do the server-side components of BrowserKey
A: Currently the server-side BrowserKey
components are designed to operate on 32-bit windows installations running web
servers capable of tracking session variables and capable of interfacing with
Active-X objects via server-side script (such as Microsoft Internet
Information Server 4.0 and later). We have future plans to develop
server-side BrowserKey components supporting Linux as well.
Q: Is setup of the end-user client machine(s) complicated?
A: No. Steps to setup the client machine are as simple as the following: 1) install the
BrowserKey Client Application on the client machine; 2) visit the BrowserKey Protected Resource authentication page with a Java-capable web browser using the client machine (the BrowserKey Lock DLL for this
BrowserKey Protected Resource is then automatically downloaded to the client machine); 3) opt to trust (or optionally permanently trust) the
automatically downloaded digitally signed BrowserKey Java Applet; 4) request a
BrowserKey Password (usually by clicking on the password request button on the
BrowserKey Lock form that pops-up on the client machine); 5) generate/issue the
BrowserKey Password for the client machine; 6) re-visit the BrowserKey authentication page with a Java-capable web browser on the client machine and enter the issued
BrowserKey Password into the BrowserKey Lock form that again pops-up.
Client machine authentications subsequent to valid BrowserKey Password entry in step 6 do not require any user interaction whatsoever (provided the end-user opted to permanently trust the digitally signed
BrowserKey Java Applet in step 3).
If the client machine already has the BrowserKey Client Application installed, only steps 2-6 are required to setup access to other
BrowserKey Protected Resource(s).
Note that the only step that requires website owner/developer interaction is step 5, and even that can be automated by the website developer if so elected. In other words, administration/setup of client machine accounts takes very little time and effort by the website owner developer.
If the calculated client machine ID of a client machine changes for any reason (this usually only occurs when major hardware changes are made to the client machine) steps 4-6 must be re-completed.
Q: What does an end-user requesting a BrowserKey Password
A: BrowserKey Password issuance
begins with the end-user of a client machine requesting a password via a button on the client-side
BrowserKey Lock registration form, or via facsimile (fax), phone, etc. To simplify and automate the fulfillment of
BrowserKey Password requests, we recommend end-users utilize the button on the client-side
BrowserKey Lock registration form.
If the end-user requests a password via the button on the client-side BrowserKey Lock registration form, the client machine's web browser is redirected to a URL pre-specified and created/maintained by the website owner/developer. Three parameters are appended to this URL by the BrowserKey system on the client-side: the calculated client machine ID (which generally does not change over time unless major hardware changes are made to the client machine), name (entered by end-user), and email address (entered by end-user).
The web page can then do whatever the developer sets it up to do, using the parameter value data passed in the URL. For example, one or more of the following can be done automatically via server-side web scripting: 1) email the
BrowserKey Password request to the website owner/developer for manual BrowserKey Password generation; and/or, 2) add the
BrowserKey Password request information to a database table (created and maintained by the website owner/developer); and/or, 3) automatically generate/email a
BrowserKey Password to the website owner/developer and/or end-user.
In the case where the information (client machine ID, name, email address) is written to a database table, it is easy to track any additional information such as the date/time the
BrowserKey Password was requested, web server environment session variables (such as username if you are also using username/password authentication and are tracking the username as a session variable), end-user
BrowserKey Protected Resource license expiration dates (some web site owners/developers use this database table to further control access by referring to this table after BrowserKey authenticates),
BrowserKey Passwords, etc. If applicable, backup of this type of data is of course encouraged, but this optionally tracked data is completely independent and nonessential to BrowserKey's core functionality (client machine authentication).
Q: What does generating/issuing a BrowserKey Password
Generation/emailing of the BrowserKey Password to the owner/developer and/or end-user is conducted either manually by the web site owner or automatically (via server-side URL redirection web scripting setup by the website developer) through a secure online interface at the BrowserKey website.
NOTE: We do not recommend the automatic generation/emailing of BrowserKey Passwords unless you have sufficient systems in place to determine that
BrowserKey Password requests are coming from valid licensed end-users of your
BrowserKey Protected Resource(s). This can be achieved by automatically issuing
BrowserKey Passwords only to authorized end-users who have been pre-entered into a server-side database table
and not allowing more than one request by this end-user by toggling a boolean field in said table after the initial request is
made (using the name and email address passed in the URL (during the
end-user's BrowserKey Password request step) as key fields in a SQL
WHERE clause (remember that the client machine ID is in theory un known prior to
the end-user requesting a BrowserKey Password, so this can't be used
as a key field at this time)). Many BrowserKey administrators/customers choose to manually generate/issue
BrowserKey Passwords for a more "hands-on feel" of things.
Q: End-users are forever changing machines or using Internet cafes,
libraries, etc to connect to the Internet. How does BrowserKey handle
A: Because BrowserKey is based on client
machine authentication, it is intended for use on client machines owned/administered by the end-user on which they can install software. We recommend creating an intentional "backdoor" to your site that
only relies on traditional web-based username and password "user authentication" (bypassing the BrowserKey system),
and that you supply information relative to this "backdoor" only to
end-users who require the ability to connect from random client machines that they do not own/administer.
You may wish to require that your customers/end-users purchase a special
(probably more expensive) license for the right to access this
Q: Do firewalls present a problem for BrowserKey?
A: No. BrowserKey requires that inbound TCP traffic be allowed on port 11,000 on the server running the
BrowserKey Client Key Storage Application. Usually client-end firewall adjustments are not required, however if the
client is behind a firewall that blocks outbound TCP traffic on port 11,000 this will need to be changed by the
client-end firewall administrator. Future free upgrades to the
BrowserKey system may include the ability to run the BrowserKey Client Key Storage
Application on a port number selected by the website developer/owner (in
theory future versions may be run on port 80 if so elected, eliminating
client-end outbound firewall issues as port 80 is typically open for outbound
TCP traffic (HTTP protocol traffic)).