The Future Of Web Authentication
After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.
Download
Dark Reading
s May 2013 Supplemental issue
It may have been drawn two decades ago, but the old New Yorker cartoon still rings true: On the Internet, nobody knows youre a dog.
Its really easy to be whoever you want to be on the Internet, says Paul Simmonds, a board member of the Jericho Forum, a group of security thought leaders dedicated to advancing secure business in open network architectures. Weve known about it as an industry for 20 years. Weve done almost nothing about it. So shame on us.
The process of authenticating users online -- that is, verifying that you are who you say you are -- has remained largely unchanged for years. When Internet users register to get access to a website, they provide an online service, called a relying party, with personal information to prove their identity. They create user names and passwords, and forever after use that combo to prove their identity to the relying party when logging in. Its simple, its intuitive -- and its highly insecure.
The user name-password approach is the lowest common denominator for authenticating, says Clain Anderson, director of software at Lenovo. Its like using sticks and rocks versus a rocket launcher, he says.
In the near term, vendors and researchers are supplanting or augmenting passwords with easier and cheaper authentication factors, such as fingerprints, mobile phone tokens and digital certificates based on asymmetrical cryptography. Along the way, a number of industry coalitions are working on replacing passwords altogether.
The Password Problem
Shared secrets like passwords have been around for thousands of years. In computing, pioneers at MIT set up a password system in the 1960s to help meter users time on the schools time-share computer system. Even then people gamed the system. The story goes that one of the scientists got hold of a master password from the password repository and handed it around to his friends so they could get more than the four hours per week allotted.
That early hack highlights the inherent problem with passwords: To remain effective, they have to remain secret. And to break the system, a hacker need only get into the main password repository.
Its a brittle system, says Phil Dunkelberger, CEO of authentication vendor Nok Nok Labs, that cant adequately protect todays scale of users and nodes connected through cloud- and grid-based computing.
Passwords are particularly problematic for Internet security as frequent hacks and breaches show. Just last month, a breach at LivingSocial, an online coupon company, exposed 50 million user passwords. Such break-ins give hackers the power to masquerade as any number of Internet users online. And when they arent stealing credentials, cyber thieves use password guessing and cracking tools to compromise authentication systems.
Users themselves frequently assist the thieves, falling for phishing scams and reusing passwords across different sites. Breaking into the system and stealing the passwords isnt even the biggest problem, says John Bradley, senior technical architect for authentication vendor Ping Identity and an evangelist for open identity standards like OAuth and OpenID. The biggest problem is that people give them away all the time.
Security leaders for years have said that passwords must be abolished, but the alternatives have fallen flat because theyre built on flawed assumptions, Jericho Forums Simmonds says. For example, challenge-and-response systems assume that attackers cant find the answers to users established questions. And hardware token systems assume that attackers couldnt steal the tokens or the algorithmic information that powers them.
So far, no one has found an intuitive, affordable way for users to sign in to accounts with the same kind of uniform acceptance as passwords. Even passwords arent necessarily that easy to use. According to a Ponemon Institute survey sponsored by Nok Nok Labs, 69% of 754 U.S. respondents say theyve forgotten a too-long or too-complex Internet password, and 67% have been locked out of a site because of password problems.
Since Web authentication isnt secure or easy, says Emilio Martinez, CEO of Agnitio, a voice-recognition biometrics firm, we have the worst of both worlds.
The Limits Of Multifactor Authentication
The security industry has developed a number of workable, if imperfect, supplemental authentication factors to tack onto the user name-password schema.
The most basic is a challenge question system that requires users to answer questions that strangers wouldnt likely know, such as What is your mothers maiden name? and What street did you grow up on? While this approach increases the barrier to entry into a site or a system, the answers are possible to steal or find out with Internet searches.
More secure are biometric readers that tie in fingerprints, retinal images or voice prints with a users identity. There also are hardware-based one-time-password tokens, such as those RSA sells. A user gets a key-chain-sized hardware fob that generates a multiple-number PIN created by an algorithm using some variable like the time of day combined with an additional value stored on the device called the seed. That seed is tied to the users identity on the back-end system that controls access to whatever software or online site needs protecting. Each time the user logs in, he presses a button on the fob to get a PIN thats created on the spot using the algorithm, the variable and the seed value. The person then enters a user name, password and PIN into the system, which crunches the PIN algorithm based on that users mutually shared seed with an additional variable that can be tied to that users identity.
Hardware tokens and biometrics have worked reasonably well in business environments that require people to sign on to an internal network, hardware device or software system. However, they havent translated well online, because the cost of providing tens of thousands of people with the hardware is prohibitive. Two-factor systems based on tokens are difficult to use since people must have the PIN-generating device any time they log on. For online authentication to be widely used, people would have to carry numerous fobs to authenticate into multiple websites. Its an unwieldy process and still based on shared secrets -- though admittedly more complicated ones.
Crooks cant steal the shared secret directly, but they can steal a persons hardware token and log on as that user. In 2011, thieves attacked RSA and gained access to the token seed data for many customers in one fell swoop, forcing the company to reissue tokens with new shared secrets.
Multifactor Authentication Within Reach
The financial industry has been a proving ground for two-factor authentication. That push came from the Federal Financial Institutions Examination Council, a government auditing body that works on behalf of several financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Office of Thrift Supervision. The FFIEC released its Authentication In An Electronic Banking Environment guidance in 2005, requiring banks to augment passwords with additional risk-mitigation mechanisms. The group started auditing banks for compliance at the end of 2006.
The mandate spurred banks to experiment with various forms of second-factor authentication. Many banks instituted question-and-response systems. They also set up fraud-prevention systems that trigger an additional form of authentication if a high-risk event occurs, such as if someone logs in from an unfamiliar computer. That form could be asking a person to enter a code sent via email, text or phone call for an address or number the bank has on file. For high-net-worth customers, some banks invested in hardware tokens. The FFIEC guidance pumped money into development of new forms of authentication, as vendors chased the financial industrys burgeoning compliance market.
But other industries havent faced these sorts of regulatory requirements, and the costs and inconvenience, along with complacency, have kept them from embracing multifactor authentication. It doesnt make business sense for companies to buy expensive authentication if the accounts theyre protecting arent worth as much as the protections themselves.
Larger online companies, like Google, Twitter and PayPal, see risks to their brands if people get hacked. So all three Internet giants are working on two-factor authenticators. Theyve each hired authentication experts and are sharing their research on bolstering Web authentication techniques.
Advancements in mobile technology are helping drive multifactor authentication. Putting software tokens on mobile phones could eliminate the need for people to carry around many hardware-based token devices. But this approach continues to use shared secrets -- algorithmic code shared between the users phone and the relying partys server. Plus, often people are using smartphones to access a website, so theyre receiving their tokens on the same devices theyre using to log in -- referred to as in-band authentication. The in-band approach is only secure as long as the device itself isnt compromised.
An alternative to shared-secrets approaches to authentication is to use mobile devices and asymmetric cryptography. This approach relies on digital signatures signed by encryption keys that are held on a persons devices. The users identity information is encrypted and stored on her computer using public key cryptography. The keys to unlock that system sit on the computer browser, the mobile device and the identity service providers cloud server. When the user signs in to a site enabled with the identity providers software, she must use digital signatures from at least two of these keys to log in. From the users point of view, its simple -- done with a click, says Steve Kirsch, founder and CTO of OneID, an identity provider. Another positive is that the relying parties arent maintaining central repositories for the bad guys to steal from, Kirsch says.
This system doesnt pose an in-band problem because it uses encryption and because all of the key information isnt located on the same device that the user is using to login. And if attackers were to steal the key information held in the server-side repository, they wouldnt be able to commit a mass breach because they wouldnt have the key information that each individual user holds. This model doesnt stop a motivated attacker from potentially breaking it on a case-by-case basis, but its the difference between retail hacking and wholesale hacking, says Jon Callas, co-founder of encrypted mobile communications vendor Silent Circle.
Biometric applications incorporated into mobile devices also have potential as authentication mechanisms of the future. Online companies could find ways to use smartphones equipped with cameras, microphones and even built-in fingerprint readers to authenticate accounts. It will depend on how well these methods are deployed within a wider authentication framework, because consumer device providers will have to enable federated authentication protocols, says Darren Platt, CTO of cloud identity provider Symplified. Done right, this would let carriers provide authentication to third-party apps and services, including e-commerce websites and financial services providers, he says.
Federation To Solve Inconvenience Issues
Federation protocols and other single sign-on back-end standards could provide a missing piece to the authentication puzzle. These standards offer the technical framework to let people use a single set of credentials to log in to numerous sites without sharing their login credentials with all those sites.
Leading the way on this front is OAuth, the open standard that powers Facebooks third-party single sign-on service that lets a user log in to a huge number of consumer Internet sites using a Facebook login. Its also the protocol behind similar efforts at Twitter and Yahoo.
The reason we created OAuth was so that you dont give your user name and password to a third party, says Bradley of Ping. If youre logging in by giving an application access to your Twitter account through OAuth, the third-party site gets a token for accessing that users authenticated identity but never actually gets your user name and password.
So while it doesnt solve the problem of strong authentication at the relying party that provides the initial authentication, it does allow for a much simpler user experience and shields the users identity. People deal with fewer passwords and are less likely to reuse them. And it also gives you an HTML plane where you could insert a federated identity that depends on a stronger authentication factor, Bradley says.
Bradley is seeing a movement among the large providers he works with via the Open ID foundation to start accepting each others federated logins to reduce the amount of fraud. Federated credentials let people choose strong credentials through a federated identity provider. This approach could sidestep concerns of users who want strong authentication and the convenience of a single sign-on process, without having to trust a social media provider such as Facebook with even more details about their lives.
Tie It All Together With A Long Leash
The approaches vying to replace user names and passwords arent mutually exclusive. With some integration work, multiple forms of authentication, such as mobile biometrics and a federated identity, could be tied in with a framework like OAuth to make it easy for people to sign on to all their online accounts.
But there are so many pieces to Web authentication that some sort of pattern is needed to keep things from snarling. It will be tough to do, but a number of coalitions and nonprofit brain trusts are working on it.
Jericho Forums Simmonds and a consortium of U.K. security colleagues are trying to create technology thats similar to OneID through anonprofit called the Global Identity Foundation.
This group maintains that theres no good way for people to assert their identities online. It supports building a stronger identity foundation by identifying and enrolling a users core identity in a system on his computer, and then breaking up user attributes into contained personas. So, for example, one persona might be related to a persons login information to a social media site, and it would only contain attribute information around the users online handle and email address. The same persons citizen persona would handle login information for government sites and might have attributes such as Social Security number and voter registration information. A retail account may have attributes such as credit card information.
The ideas is that core identity information is encrypted on the users system, and something like biometrics technology must be used to unlock the appropriate encrypted information. When a person wants to make a transaction, that system would connect with the online server and only offer information within the personas that are relevant to that online system -- so an online purchase may be able to pull from the citizen and retail personas, but posting on a social site could only pull from the less-risky social persona.
The bad guys cant spoof it, Simmonds says of this type of distributed system. So even if they take the identity, they cant assert it because they dont have the crypto components that go with it, because you hold those yourself.
On another front, a newly formed group called the Fast IDentity Online, or FIDO, Alliance is trying to tackle Web authentication by creating a comprehensive open architecture specification designed to act as the glue between technology built into devices, strong-authentication devices and software, and the relying parties server infrastructure. This group wants to create a platform for FIDO-enabled devices to provide interoperability between all the products that make up the authentication ecosystem.
Its standard plumbing, says Dunkelberger of Nok Nok, a founding member FIDO. The alliance hopes to standardize the way relying parties enroll users and their devices, and provide a standard way to inventory devices to find out what FIDO-enabled authentication elements -- such as software tokens, fingerprint readers, cameras and microphones -- they contain.
Such a spec tells the back-end system, Heres all of the elements you can use to establish a multifactor connection to this person and device, Dunkelberger says. Then it enrolls the user and provisions the encryption keys on both sides for the challenge-response. And it does it in a standard way, regardless of authentication, regardless of single sign-on, regardless of any of those things, he says. Everybody wins because were not out there goring anybodys ox. We dont pick winners on any of those things in the stack.
FIDO solves the problem of relying parties being unable to trust users endpoint devices because they dont really know whether theres malware on them or other issues, says Anderson of Lenovo, which is also a founding member of the group. The open architecture provides a trusted authentication method that can work with assurance on any device, so fingerprint readers, for instance, can be tied in to verify that the right person is accessing the right machine and the right process, he says.
Most important, the open architecture can be adopted across the industry and not just by those with deep pockets, says Michael Barrett, CISO of PayPal, whos also FIDOs president.
PayPal can manage quite well using advanced risk-based authentication systems, Barrett says, but most companies arent able to develop highly sophisticated options. The clear mandate for the FIDO Alliance is to make the Internet a safer place for everyone by enabling the development of an ecosystem, he says, which fosters authentication thats simultaneously easier to use than user IDs and passwords and stronger for relying parties.
Whether its FIDO or something else, this is the combination necessary to attain the Web authentication holy grail. Tomorrows authentication option must be more effective than todays passwords -- and as easy, and hopefully easier, to use.
Tags:
The Future Of Web Authentication