Protecting digital IDs: does the past hold the answers to modern problems?
Authentication is one of those things that we have known how to improve for several decades, but for some reason, the industry never got to it. We have gone from simple and easily crackable solutions to secure and advanced and right back to simple and unreliable again. Let’s explore some of the most popular authentication methods out there, why authentication is necessary and how digital identity will be protected in the future.
What is authentication and why do we need it?
Authentication is a process that allows establishing the identity of a user to make sure that unauthorized parties do not gain access to private information. Authentication is especially crucial in the fintech industry, where accounts usually protect valuable assets of the users.
As technologies develop we get used to entrusting sensitive data to web applications without thinking how secure they are. Too often this puts our data or even our hard earned money at risk. So what authentication methods out there and which ones you can trust?
Password/login pairs and 2-FA
Passwords and logins are merely text strings that are used to identify a web application visitor when he or she logins to closed sections of the website. They are created on a client side by the user. The access to the site is granted if a login is provided with a corresponding password.
This is a straightforward and convenient authentication method. A login is usually your nickname, phone number or email while a password can be something like “qwerty” or “12345” or “iamboss” or perhaps your birth date. And, this is where troubles begin.
First of all, however difficult it might seem, it’s quite possible to forget even passwords as simple as “14.10.1970”, which in turn means losing access to your accounts. As Alexander Pope said, “To err is human.” Then, even if you can remember your birthday date it does not mean your digital ID is safe.
The problem with passwords is that they are generated on the client side, and when encryption is made in the browser, it is likely that a hacker can catch the request to the server as it is made and apply the retrieved hash to imitate usage of password or even crack it.
What’s more, some services don’t even encrypt your passwords at all! They are held in databases as plain readable text, right next to your logins and other account data, allowing an administrator to gain access to any account he or she chooses.
To add one more layer of protection to your data 2-factor authentication is utilized. It adds an extra step to the authentication process, making it more clunky but also more secure. As a part of 2-FA, a user is required to enter a one time password that is generated on the server and sent over to the user via e-mail or an SMS message. Sounds pretty secure right? In theory, now not only your account details need to be compromised for a hacker to get access to your account, but also your e-mail or your cell phone.
Well, not really. The problem is that the code is typically transmitted via open channels that can be cracked. When the pin is generated and sent from the company’s server and when your the server of your network provider processes it, your data is the least shielded.
To battle this problem HOTP was created. IT is a variety of a 2-factor authentication that uses an encrypted shared secret which is deposited on provider’s server as well as on a hardware or software token that belongs to the user. This token can then generate a one-time code that is sent to the server for validation, thus removing the need to transmit data over open protocols such as HTTP or SMTP or mobile networks. However, there is still a vulnerable side to this method: a potential desynchronization of sequence counter on the server and the user’s device.
Several of the large banks and corporations like InteractiveBrokers, and NBG apply this approach to protect digital IDs of their clients, so it’s reasonably reliable. But not all the way. As long as the user’s device has to interact with the server, there are possibilities for a hacker to intercept the code.
To get rid of the vulnerabilities of HOTP companies developed something called TOTP. I know, I know, those names might seem silly, but the security measures TOTP brings to the table are pretty serious. Just like HOTP, it uses a shared secret to create one-time code, but it ads a current timestamp that is held on the users’ device and the server. Like this, two entirely isolated devices can produce a matching code.
Even though select companies presently utilize TOTP, this approach is still relatively rare on the market. The most innovative companies are slowly working on globally adapting it. Thus, TOTP powered applications will become more common as time goes by. Some crypto-exchanges such as Exscudo and Kraken already use TOTP.
Even though TOTP is a very secure authentication option, it is still crackable. If we want authentication to be completely trouble proof, the industry must adopt something called PKI, or private keys infrastructure. This approach utilizes cryptography ( a science of confidential communication in the presence of third parties, as described by Wikipedia ) and KYC to issue digital certificates that are used as public keys and are associated with particular users. At the same time, a private key that only the user knows is created. This private key does not have to be stored online and it is mathematically protected with cryptography. The only case where PKI can be worked around is if the user is held in physical captivity and tortured to disclose the private key. An example of a company that has successfully implemented PKI in a public service is StartSSL.
Corusilly, the concept of PKI was first introduced decades ago, but it still the most secure and the least common authentication practice. Arguably the reason for this is that PKI revolves around cryptography and such complicated things like Private and Public keys simply confuse everyday users. It’s not a matter of technological complexity but rather technical literacy of everyday people.
And that’s the main problem that the industry is facing right now. The truth is, that every existing authentication method can be cracked, no matter how technically sophisticated and scientifically advanced it is. The weak link is not in the technology – it’s in our heads. Unless we start taking authentication seriously, account losses will always remain a reality. Even PKI can be worked around through clever social engineering. Or torture for that matter.
In the future, we will see companies globally utilizing TOTP and PKI technology to protect digital IDs of their users, but education about the best practices of sensitive information handling is equally as important. Hopefully, soon corporations will not only start utilizing more secure technologies but also begin educating users about what to do to keep their accounts safe.
By Alex Sitnikov, CTO of Exscudo