Monday, January 21, 2013

Next Gen Credentials and Security

The password system that dominates personal authentication is becoming more and more unwieldy. As users acquire more and more accounts on more and more computer systems, it is becoming less and less reasonable to expect them to choose unique passwords for each. Passwords can be forgotten, so systems designers build in reset mechanisms that can be socially engineered or otherwise exploited. Many users choose the same password for every system or at best choose from a small set of passwords. One crooked web-site could allow the attacker who administrates it access to all of a users accounts on other systems. An even bigger problem is that most users simple passwords that are vulnerable to dictionary attacks, rainbow tables, or other attacks.

Google is exploring the possibility of using hardware based authentication. The idea is that the user would wear a ring or have a key fob that could be used to authenticate with either the device or with the customer's online accounts or both. This is a promising approach. This isn't perfect, but it the seems to have fewer problems than any other approach that I have seen.

In addition to passwords, most banks use a second authentication system whereby users re-verify via a non-password mechanism. Users must type in a one-time use code that is sent to a separate account. They are required to re-authenticate this way every the user tries to log in using time a new device or account (or whenever cookies are cleared).

Biometrics seemed promising, but the credentials (fingerprint, retinal pattern, etc) can't be changed. If an attacker cracks the encryption and steals the signature, he or she can log into your account for life. It might be a pain to replace an authentication ring but it is possible.

Another approach suggested by Turing Award winner and CAPTCHA inventor Manuel Blum was to use a "hard" function (computationally intensive to invert) to compute a password. The user could use a simple single password along with the site name as an input. The password would then be computed automatically. One problem with this approach (and a MAJOR pet peeve of mine) is that different sites have different password restrictions. Can't we agree on a standard set and move on? Or at least post them next to the login screen to hint to users what password they might have chosen.

Another problem with Blum's approach is that it would require a hardware device as well as manual input of data. Although it could be implemented in software, it would then be vulnerable to any trojans that had gained access to the user's system. According to Kerpersky, these trojans are the second most prominent threat next to malicious urls (many of which attempt to install trojans). A naive implementation of the hardware authentication token might be vulnerable to the same attack, but an active device could mitigate the threat by compute Blum's "hard" function (probably a cryptographic hash) in hardware. The software it interacts with could provide an "authentication domain" (my term) and the user could enter a simple PIN, a third unique code would then give the device a third auth component. Of course such a device would still be vulnerable to a Trojan that read the hashed inputs, but not if it was implemented in hardware and added the auth token directly using the network hardware.

Then an end user would only be as vulnerable as the network security in the many routes on the internet.

So what can we conclude? Information security is incredibly hard. There is no silver bullet, but the next generation of security will likely require some combination of hardware and software--biometrics may play a role also. A simple system is necessary, preferably a single sign-on system.

The logistics behind this advancement are daunting, but today's tech companies have made some incredibly impressive advances in the past twenty years. I believe that a consortium involving Google, Apple, and Intel could make it happen. Improved security would improve life for everyone save cyber-criminals.

No comments:

Post a Comment