December 19, 2018
Authentication is used to provide selective access to sensitive information and essentially prove that you are, in fact, well… You! This is especially crucial in the financial market where authentication serves as the main barrier that prevents funds from being stolen.
A 2018 Experian study found that almost three-quarters of businesses (72%) cite fraud as a growing concern over the past 12 months and nearly two-thirds (63%) report the same or higher levels of fraudulent losses over that same period. In 2017, the number of data records compromised in publicly disclosed data breaches surpassed 2.5 billion – up 88% from 2016.
Identity theft is still the number one type of data breach: identity theft accounted for 69% of all data breach incidents in 2017. Over 600 million records were impacted, resulting in a 73% increase from 2016.
Today, different authentication technologies offer a variable degree of security, and new methods are being implemented continuously to prevent digital identity theft. In this article, we are going to look at the most common authentication methods and dive into more sophisticated technology to see how authentication will be done in the future.
Most websites and online applications today employ either one of the two most popular approaches:
Login-password pair combined with 2FA
Let’s look at the login-password pair first. We all use them, probably multiple times every day. So, why are they the least secure option? To begin with, they can make you lose access even without the involvement of a third party with ill intentions – if you forget that piece of paper that had them, or delete a file where you saved your password-login pair – say goodbye to your data.
Now, if a third party decides to crack your account, this is where the real fun begins. For starters, passwords are typically collected in centralized storage (many in non-encrypted form). This allows an administrator to enter any personal account whenever he or she desires.
And if that wasn’t enough, when encryption is executed in the browser, it is likely that a hacker can catch the request to the server as it is made and apply the retrieved hash to imitate the usage of a password or even crack it.
What can you do to protect your data? Don’t hold your login/password pairs on your computer and especially in your mailbox. It’s the easiest place for a hacker to access. That’s why programmers never hold sensitive data in a digital medium. They would rather use a piece of paper or another analog medium.
2FA is used to add another layer of protection. It requires a user to enter a one-time PIN during login that is usually sent to you with an SMS or an e-mail message. Now, in theory, even if a third party got their hands on your login information, they would also need to have possession of your email/phone.
However, the problem with this approach is that the password & login ID remain defenseless and a unique code is almost always sent over open channels. The code gets created & transmitted from the company’s server and your device receives it, followed by which the server of your network provider processes it – your information is least protected at this time.
To make authentication more fail-proof, companies implement HMAC-based one-time password (OTP) (HOTP) or time-based one-time passcodes (TOTP). Out of the two, HOTP is a little less secure. It utilizes a shared encrypted secret that is deposited on a provider’s server and on a digital or hardware token that the user carries. A user’s token can create an OTP and send it to the server for validation, eliminating the need to transfer data over unprotected, exposed protocols like HTTP or SMTP or mobile networks for that matter.
The vulnerable side of the aforementioned system is the potential desynchronization of the sequence counter on the server and the user’s device.
Some major banks and companies like InteractiveBrokers and NBG use this method to secure digital identity of their customers, so it’s fairly reliable. But not 100%. There is still communication between the user’s device and the server – that’s the weak link in the design.
And the TOTP gets rid of it. Just like HOTP, it uses a shared secret to generate a one-time PIN, but it adds a current timestamp that is held on the users’ device and the server. Like this, two isolated devices can produce a matching code.
Some modern companies use this approach but it’s still not very common. TOTP is slowly being implemented globally by the most innovative corporations and it will become more prevalent in the future. If a company tells you that they use TOTP, be sure that they have sound security. Among the companies that use TOTP are Kraken, Microsoft, and Facebook.
Now, to reach extreme levels of security, we need to look at PKI. Interestingly, that is the oldest security method described here; at the same time, it is the most robust and the most rarely implemented.
PKI stands for Private Key Infrastructure, and it uses cryptography & a KYC-issued digital certificate that is then used as a public key. At the same time, a private key – which doesn’t have to be stored online and that only the user knows – is created. This private key does not have to be stored online. The only case where PKI can be worked around is if the user is held in physical captivity and tortured to disclose the private key. Some examples of companies that have successfully implemented PKI in public service are Danske Bank, European System of Central Banks (ESCB), Lloyds Bank, and StartSSL.
On the other hand, 2FA security is being enhanced by upgrading HOTP & TOTP algorithms to a much more modern and secure Universal 2nd Factor (U2F) method-based PKI on asymmetric cryptography algorithms presented in December 2014. The big advantage of U2F is the ability to be implemented as software as well as hardware solutions like USB keys. A typical example of U2F hardware solutions used in blockchain and site authentication is the Trezor hardware key.
If you look at all of the authentication methods described above, something interesting starts becoming apparent. The most secure and least implemented authentication method is also the oldest. Could it be that the future of authentication lies in the past? If this technology has been known to us for some time, why is it not broadly implemented yet?
Well, the truth is, any authentication method is useless unless people take security seriously. Even PKI – if a private key is stored in a digital file, it can be easily compromised.
However, as we move further into the digital age, people are beginning to understand how important it is to handle sensitive data carefully. In 2017, accidental loss consisting of improper disposal of records, misconfigured databases, and other unintended security issues caused 1.9 billion records to be exposed – a dramatic 580% increase in the number of compromised records from 2016.
On the other hand, companies are reworking their own security practices and the world is slowly getting ready to use authentication methods like TOTP and PKI globally while making simple login-password pairs a thing of the past.