I recall reading where guys are using FMP for flashing PCM, with FMP apparently handling security challenge / response to get authority to flash the PCM.
I am interested to know how both the following products handle security authorisation for flashing?

1. HPTuners with their VCM suite
2. SCT X2/ X3 X4

Do they:

a. connect via the internet to Ford to get authorisation, e.g connecting to FMP back end?
b. somehow bypass the authorisation altogether?
c. have the licensed the security algorithm from ford and included in their own code so that no external (outside the tool) interaction is required for authorisation?
d. They have figured out how the algorithm works and implemented their own version in their software / firmware?

Has anyone used either of these two products who can shed some light on how they think these products are handling the security authorisation, also whether you need to be connected to the internet at any stage to reflash?

They have almost certainly reverse engineered the seed key algorithm and implemented it themselves. On their forums you can see discussions back in 2003 of how they reverse engineered the GM seed key algorithm (very simple).

Neither package requires internet connectivity to flash.

I don't believe it is possible to license it from ford as that would stop people buying IDS.