Identity theft is a threat that makes people lose their money and property in the real world. It’s a given that in the digital world such actions are far more common and easier for an ill-wisher to pull off.
by Alex Sitnikov, CTO, Exscudo
To protect the sensitive data of users companies developed an array of procedures commonly known as authentication. In essence, authentication allows to confirm that you are really you and give access to confidential data or valuable assets selectively. These measures are especially necessary in the financial market where valuable assets are at stake!
But does the current authentication technology provide adequate protection, how can it be broken and what is being done to improve identity protection?
Most websites and online applications today use one of the two popular authentication technologies — a login/password pair and sometimes a 2-factor authentication. There is no need to explain what login and password are. Admittedly we all use them on a daily basis and almost definitely each one of us can remember the last time we forgot them and lost access to our data.
Login password pairs open a billion ways for cybercriminals to gain access to personal data, and the reason why they are so insecure has to do not only with the technology. Human beings tend to be lazy, and we often omit the best security practices and resort to using passwords like “qwerty” or “12345678.”
That’s right, didn’t you know that unless your password contains upper and lower case characters, numbers and special symbols, it’s as simple as ABC for a hacker to gain access to your account? Time to change your passwords! And better make sure that you use a unique password on each service. Oh, and don’t write them down on your PC or Mac either.
Besides, passwords are usually stored in a centralized database, and sometimes they are not even encrypted, allowing an administrator to gain access to personal accounts at a will. And if that’s not enough, when encryption is made in the browser, it is possible to intercept the request to the server as it is made and use the retrieved hash to emulate usage of password or even decipher it.
To protect the data of sloppy users who shirk from utilizing best practices of data protection companies developed a procedure called 2-factor authentication. The idea is straightforward and might seem quite brilliant. Instead of relying solely on a password/login pair that is stored in a centralized storage and can be compromised or lost, a second identification step is added to the process in the form of an SMS message or an email that contains a unique code needed to access your personal cabinet or confirm a transaction.
With this added step, in theory, if a third party wanted to gain access to your protected data both your login/password pair and your email address/mobile phone have to be compromised. However, the problem with this approach is that the password and login still remain unprotected while a unique code is almost always sent over open channels without encryption.
When the code is being generated and sent from the company’s server and when it is received by your device and being processed by the server of your network provider your information is the least protected. Do you feel reassured when you access your bank account with an SMS code? Well, don’t.
As it turns out today’s authentication technologies that are implemented on the most global scale are mostly immature and leave all too much space to be exploited. However, the progress does not stand in one place. Let’s explore what is being done in the industry to protect your digital identity.
Trends in digital authentication
To protect users’ digital identities more advanced authentication concepts like HOTP, TOTP and PKI are being implemented. Essentially, these methods are still varieties of 2-factor authentication. However, the security is taken to the next level. Of the 3 HOTP is the least secure option. It uses a shared encrypted secret that is stored on a provider’s server and on a digital or hardware token that belongs to the user. When the authentication process is initiated, the user’s token generates a one-time code that is sent to the server. The server software validates it, either granting or denying access, thus eliminating the need to exchange information over vulnerable open protocols like HTTP or SMTP or mobile networks. The weak side of this method is possible desynchronization of sequence counter on the server and the user’s device.
Example of companies implementing HOTP are InteractiveBrokers, NBG. Some banks with more advanced authentication procedures give clients hardware tokens that generate one time passwords. If you’ve ever encountered a device like this — it’s probably HOTP.
To further improve the security and usability of HOTP, TOTP was introduced. Just like HOTP, it uses a shared secret to generate one time PIN, but it also uses a current timestamp that typically increases in 30-second intervals. With TOTP 2 entirely isolated systems can create a one-time matching code without desynchronization sequence issues but on the other hand, in comparison with HOTP user device have to be time-synchronized.
Taking identification another step further is PKI or Private Key Infrastructure. Curiously it was designed all the way back in 1988. This concept uses open key cryptography to authenticate users. Essentially, a digital certificate is issued to confirm the identity of a user as a result of a KYC. This certificate is used as a public key, while a private key that only the user knows is issued. This private key does not have to be stored online. The only instance where PKI can be worked around is if the user is held in physical captivity and tortured to disclose the private key.
An example of a company that has successfully implemented PKI in public service is StartSSL.
HOTP, TOTP, and PKI are already used by select companies at the present time, but we are far from seeing them implemented on a large scale. Especially PKI despite it being the oldest technology that offers the highest degree of protection. However, broad implementation of these practices is an essential step in protecting user identity on the web.
Challenges of integration of advanced authentication processes
The next logical step for the market is to embrace the more advanced authentication technologies, after all, protection of client’s data and assets is of the most importance. And yet, there are still a lot of companies that use old-fashioned 2-factor authentication. Even some of the top banks still do this! What is the reason that prevents us from moving on and adapting better security practices?
The answer to this question is not as simple as it might seem. Companies have to keep in mind what user base they are targeting and for many industries, such as bankingб introduction of additional complicated concepts like private and public keys can easily confuse clients and potentially lead to more lost accounts than the 2-auth authentication would to begin with.
Even more critical than technological literacy of the target audience are general security practices. KYC allows to identify users and plays a big role in the PKI systems. Yet, the questions arise; How is the KYC performed? How is the data stored? Do administrators have access to databases? Who overlooks administrators? Who overlooks the overlookers? Some highly regulated businesses have these points worked out and written in industrial standards like PCI DSS in cards processing, but it’s only a drop in the ocean.
What’s more, even though the private key cannot be deciphered or stolen, it is still possible to trick a user to give the information needed for authentication through social engineering. For example, by forging official emails of the company or by acting like one of the representatives, which once again brings us to the best practices of security.
The question is — how fewer accounts would have been compromised if everybody had used long passwords that are hard to crack? You see, it’s all in the head.
In the end, the best practices of authentication are being implemented in the market as companies and users become aware of their importance and learn how to use this new technology. If we don’t pay close attention to how we store and use sensitive information like passwords and logins and care about the safety of our own data, no technological revolution can help us protect our own data.
That being said if we want to protect our digital identities in the most robust way, we have to look in the direction of implementing PKI solutions. But even PKI has its problems and weaknesses. The real revolution in authentication lies with PKI infrastructures built on top of… the blockchain technology.