Identity and Authentication Seek a New Paradigm
The secret word is out and crypto is in as government and commercial experts lay the groundwork for the next generation of identity proving and authentication. Passwords are being abandoned in favor of a range of new methods that are more secure and, in some cases, more user friendly.
Biometrics are just part of the solution. They have been paired with public key cryptography in preliminary efforts. Ultimately, the solution may emerge from an entirely new concept of identity that applies across a broad spectrum of applications.
“Authentication is getting easier, and identity proving is getting harder,” says Jeremy Grant, managing director of technology business strategy at Venable. “As much as passwords are still a scourge on society and lead to all sorts of bad events … the real frontier these days, in terms of where more work is needed, is on identity proving.”
The move to the cloud has increased the importance of identity, Grant notes. Reliance on shared computer resources reduces the vitality of traditional perimeter defenses, and this requires robust identity systems that focus on both the device and the user.
Identity management comprises two disciplines. One is to safeguard information resources and data, while the other is to provide security to customers. While both overlap to some degree, they have different aspects.
Grant notes that authentication is merely a password/login problem, whereas identity is much more complex in determining who the user is. Over the past few years, identity proving has gotten much harder while authentication has become much easier. Industry has developed ways of going beyond passwords, and this has improved authentication fidelity, he relates.
“Passwords don’t have any security value,” Grant states. “The idea that there is such a thing as a strong password is outdated. The evidence shows it year after year—more than 80 percent of breaches and other security incidents are tied to people exploiting all the different weaknesses of passwords.”
He continues that even a 64-character password will not keep out interlopers who exploit inadequate authentication. “Most of the time, they’ll just trick you into a phishing attack where you type the whole [password] in, and then they’ve captured it,” he points out.
The problem is less a matter of customer negligence and more a matter of password vulnerability, Grant says. Even making passwords longer and more complex will not solve the problem, and he states that this approach “is an absolute fallacy. Most attacks these days don’t take advantage of the fact that somebody is going to guess or brute-force your password—in fact, that almost never happens,” he declares. “Instead, [attacks] rely on the fact that you can be phished.” People increasingly fall prey to imitation emails that lure them to log into false sites and trick them into giving up their passwords.
“There have been so many billions of passwords that have been stolen in breaches, and because people tend to reuse passwords across different accounts, you have attacks that are called credential stuffing,” Grant continues. Hacker tool kits include hundreds of millions of passwords that can be leveraged on legitimate sites. He says that Microsoft observed 10 million attacks a day on its Azure cloud two years ago. Now, its identity services are hit by 300 million attacks a day—a 30-fold increase. “We’re giving consumers absolutely the wrong information” by advising them to generate more complex passwords, he maintains.
Multifactor authentication is the choice to replace passwords, Grant avers. Until now, most first-generation multifactor authentication required something issued to customers on top of a password, such as a one-time token. That approach was met unfavorably by customers, who tended to opt for single-step authentication. Now, however, many systems have strong authentication built in at the device level. These are based on new standards created by the FIDO Alliance, for Fast Identity Online, and they have been embraced by firms such as Google and Microsoft. These firms have embedded FIDO authenticators in their devices that eliminate the need for passwords.
Grant explains that these built-in authenticators have two defining factors. One is a locally matched biometric that doesn’t leave the device but ensures that the holder is validated as the authorized user. The other factor is a cryptographic key stored in protected hardware.
Adoption of these new standards is growing on both the enterprise side and the consumer side, he continues. In government, the White House Office of Management and Budget issued a policy memorandum (M-19-17) that directs federal agencies to look at some of the new standards for more efficient multifactor authentication in lieu of legacy tools such as smart cards.
One issue facing consumer use of multifactor authentication is identity proving. A system must be assured that the person signing up for an account really is who they say they are, Grant notes.
“With authentication, the real issue is how you prevent scalable attacks,” Grant states. Major breaches over the past decade have illustrated how hundreds of millions of records were compromised by a single intrusion into a company’s databases. “If you are stealing hundreds of millions of passwords, that means you now have hundreds of millions of passwords you can use to [crack] other things with. The notion that shared secrets will stay secret is really just a fallacy,” he adds.
On the other hand, security experts can change the attack surface, so instead of having a large collection of shared secrets—passwords—access is granted to something the user has or is. “You replace something you know, that can’t be protected well and is going to be stolen, with something you have and something you are,” he explains.
This entails a certificate stored securely only on the user’s device, combined with a locally matched biometric, to serve as authenticators. A hacker must determine how to attack this combination and, if successful, that attack would only affect one device at a time. This could be achieved only with a much more resource-heavy attack that is much harder to execute, Grant points out. “You’re basically raising the cost of the attackers several times over, in terms of what it is going to cost to actually launch an attack to compromise an account,” he adds.
Federal government security has been complex and not user-friendly, Grant says. He reports on this, having worked on credentialing during the 1990s. The government issued a card, a separate reader—possibly biometric—that could interface with the card, along with middleware on the computing device to accept the card and manage its certificate. While it was secure, it wasn’t easy to deploy.
Today, these capabilities need not be deployed separately with a stand-alone unit. Smartphones and laptops now have multiple sensors that can capture and match biometrics securely onboard the device, and their internal protected hardware is the functional equivalent of a smart card chip. “What used to be something that is bolted on is now built in,” he says.
With this single-gesture authentication, a user can log in by taking a selfie for face identification or offering a fingerprint. Either will unlock a cryptographic certificate stored securely in the device that works behind the scenes to log in the user. “You’re giving people security that, compared to entering a password into their device, is exponentially more secure with the user experience much simpler,” Grant declares.
FIDO’s approach pairs a biometric/touch identification with unlocking a cryptographic key that can be used to log into a financial account. A user on a smartphone who logs into a commercial bank account is using FIDO authentication by unlocking a specific cryptographic key that is securely stored within the phone and is unique to the bank, Grant explains.
“You may think you are doing it just with a biometric, but in fact, what really logs you in is a cryptographic key that ties to something that [the institution] has,” he adds.
However, one key element must be addressed successfully for identification and authentication to work effectively. When an individual applies for an account, that person’s identity must be verified. For government functions, a lapse could be critical. Someone who establishes an online Social Security account using someone else’s number owns that account until the proper user can prove otherwise. Even with existing checks and backups, that can prove difficult, Grant points out.
“The way we have been trying to do remote identity proofing through the use of knowledge-based systems has not been working,” he states. “The attackers have caught up with them, so what we really need is to get to something better. That’s a real challenge in the industry right now.”
Where industry largely has been responsible for authentication advances until now, it must team with government to solve this problem, Grant avers. He says one drawback to this approach is the lack of government-digital identity systems. Some reluctance comes from opposition to a government identification card, but many such cards already exist: Social Security cards, driver’s licenses and passports, for example.
However, these cards are throwbacks to the paper/plastic era, he charges. For example, a driver’s license may be all that is necessary for a customer to walk into a bank and open an account. But that license doesn’t work in the online world, Grant points out. Knowledge-based verification systems emerged to address what he describes as an identity gap among different systems using varying media. But there is no one-type-suits-all identification system that can be used in person or online for different purposes or transactions.
One recommendation is to modernize identity systems so that individuals can ask an agency that knows about them to authoritatively vouch for their identity online. This in turn would provide a foundation for many types of high-value digital services not available today without in-person identity verification, Grant offers. He foresees significant transformation in this area over the next couple of years.
