A shorter version of this article originally appeared in Infosecurity Magazine.
The world has a huge authentication problem, namely, that we’re utterly terrible at authentication. In 2016 alone, 3 billion passwords were stolen. Credit card fraud is showing hockey stick growth with estimates that annual damages will reach $32 billion by 2019, and the overall cost of cybercrime to humanity is growing from $3 trillion in 2015 to $6 trillion by 2021.
When you think of authentication as the ritual of proving one’s identity, it becomes pretty clear that every ounce of pain experienced by the billions of people who had an online account compromised last year or a fraudulent charge appear on their credit card was the result of someone who was able to impersonate their identity to a merchant or a website. In other words, the ritual of authentication failed in every one of those instances.
Humans have been using artifacts to prove their identity for thousands of years. The oldest lock and key system dates back 6,000 years and the oldest signet ring dates back 2,500 years. We’ve even had ciphers and cryptography since the times of the Spartans, who wrote messages on papyrus wrapped vertically around a staff and then unwrapped them for delivery. The papyrus had to be wrapped around a staff of equal diameter in order to accurately read the message. Considering how long we’ve been doing this authentication thing, it’s astonishing that we‘re continually getting worse at it.
The reason we’re so bad at authentication is that we’ve built a number of deeply ingrained habits around the use of shared secrets as a method of authentication. A shared secret is just something that’s known to both you and the service you’re authenticating into. You present the secret to the service, and if it matches what the service has stored, then you’re in. Examples include passwords, pin codes, credit card numbers, account numbers, social security numbers, etc. They’re everywhere.
There are a number of problems with shared secrets. The first is that they are, by definition, not unique. I know my credit card number and my credit card company obviously does too, so that means two parties know it. If two parties know it, then three parties can know it too and this is where shared secrets begin to unravel as a trustworthy authentication tool. If something can be duplicated then how can I trust its authenticity when it’s presented to me?
The second problem with shared secrets is that they create treasure troves of centrally stored user credentials. Hack one merchant and get millions of credit card numbers. Hack one website and get millions of passwords. If that’s not attractive to a cyber-criminal, then I don’t know what is. Shared secrets may have worked in the analog days of keys and checkbooks, but in a digital world where most services are accessed remotely, shared secrets are a completely unsustainable method of authentication.
There is an alternative to shared secrets; a better way to do authentication. But to understand our options, their limitations, and what we need to do to rid the world of identity fraud, we need to dig a little deeper into the art of authentication.
Factors of Authentication
There are essentially three ways to prove who you are and they’re called the three factors of authentication:
- Knowledge Factor: something that you know — password, pin code, account number, etc.
- Possession Factor: something that you have — physical key, car fob, credit card, USB token, etc.
- Inherence Factor: something that you are — fingerprint, retina, voice, etc.
Knowledge factors are the worst because they’re all shared secrets. We’re not that good at remembering things, so we tend to reuse passwords and pin codes a lot. Let’s face it, we have hundreds of online accounts and we’re not going to memorize a unique, new password every time we sign up for a website. As a result, when a major website like Yahoo gets hacked and over 1 billion passwords get leaked, you can either spend your day changing your password on every single website you use or just accept that, like everyone else, you’ll eventually be hacked.
Credit cards are shared secrets too. They may masquerade as possession factors, but 16 digits printed on a plastic card is no different than writing your password down on a post-it (which, 40% of us apparently do). When a merchant like Target gets hacked and 40 million credit card numbers get leaked, all those cards need to be reissued or fraud ensues. And the keys in your pocket aren’t any different; just a pin code written down on a piece of metal. I can copy it in under a second with my cell phone camera.
Inherence factors like fingerprints are tricky too because they’re actually just very complex shared secrets that are printed on your body instead of a piece of plastic or metal. You can think of your fingerprint as a very intricate password. Except, unlike a password, you can never change it and you only get 10 of them. You can see why no one would even imagine storing inherence factors on a server as a way to log you into a website. When you register your fingerprint on your smartphone, without fail, it’s always stored locally on the device and only used to authenticate you into the device. If we can’t store them remotely, then we can’t really use them as the primary way we authenticate into remote services like websites and credit card processing networks.
Five Attributes of a Good Authentication System
So where does that leave us? It turns out, modern day technology and a confluence of breakthroughs have given us the resources we need to put a stop to identity fraud. But to design a system that is both secure and usable requires:
1 - Uniqueness
The Achilles heel of shared secrets is their lack of uniqueness. Since passwords and credit card numbers can be duplicated, how can you really know who’s in possession of them? The most important thing to get right is uniqueness. Knowledge and inherence factors are always shared secrets, which means they can be duplicated and they lack certainty of uniqueness.
What about the possession factor? If we could fashion a physical token that was truly unique and couldn’t be duplicated, then having possession of this token would serve as a very strong authentication factor. Just that first step would eradicate cybercrime since you’d need to physically steal this token in order to use it (we’ll get to fixing that in a bit).
It seems far-fetched that such a magic stone can be concocted. After all, people are able to forge money! How much better can we do? It turns out, much better. Creating a unique physical token isn’t that hard. It takes just two pieces of technology: asymmetric cryptography and secure elements.
- Asymmetric cryptography is a method of authentication that’s better than shared secrets in virtually every way. You start by generating a pair of cryptographic keys known as the public key and the private key. You never give the private key to anyone. You give the public key to the service you want to authenticate into so it can be associated with your account. Whenever the service needs you to log in or approve a transaction, it generates a random string of characters called a challenge and sends it to you. You perform a cryptographic operation called signing the challenge with your private key and send back the signed response. The service uses your public key to verify that the challenge it sent was indeed signed by your private key and then it logs you in to your account. The difference between this approach and typing a password can’t be overstated. Your private key never gets sent to the service the way a password does. The public key can’t be used to sign a challenge. It can only be used to verify that a signature was made by the corresponding private key, which means no more treasure troves of centrally stored user credentials. Since the challenge is random every time, the response is different every time. If someone is able to intercept you typing your password, they can use it to log in as you. If they intercept a challenge/response ritual, they can’t use it to do anything since the challenge will be different next time. This technology isn’t even cutting edge. You already use it every time you load an HTTPS website, tap an HID access card, or dip a credit card into a chip reader.
- But what if someone steals the private key? Sure, it doesn’t get sent during the ritual of authentication, but what if someone hacks me and steals it? That’s all 100% valid. The above model only works if you can truly be certain that the private key never leaves the device it was first generated on. Otherwise, you can’t trust that device’s uniqueness. It turns out, this is also a well solved problem. A secure element is a microprocessor that’s hardened and sandboxed. It’s hardened in the sense that it’s designed to be tamper resistant to the point where it can even destroy the private keys it hold if it senses that someone is tampering with it. It’s sandboxed, in the sense that each applet lives in its own space and can’t be touched by other applets. This allows multiple use cases to live on one secure element. You use this technology every day as well. The chip in your credit card is a secure element. The chip in your iPhone that enables Apple Pay is a secure element. Even the SIM card inside your phone is a secure element.
By combining asymmetric cryptography as the authentication method and secure elements as the authentication hardware, you can create a truly unique physical token that can always be trusted when performing authentication. Now the question is, who’s holding the token?
2 - Two Factor Authentication
Getting this far is only half the battle. To be fair, it’s far more than half the battle since digital identity fraud becomes nearly impossible when a provably unique physical token is required for authentication. But that still leaves physical theft as an open attack vector. Some can simply steal or find this identity token and use it as if they were you.
This takes us back the the inherence factor. Biometrics may not be a good way to authenticate into remote services since we don’t want to store fingerprints on servers, but it’s the perfect way to authenticate into a local device, especially one that has a secure element, which can be used to securely store your biometric data.
It’s a daisy chain approach. First, you prove who you are to the authenticator and then the authenticator proves its uniqueness to the service you’re logging into. Simply put, it’s 2FA done right since it eliminates the most egregious attack vectors we face today in transitioning to a digital world.
3 - Easier than the Status Quo
If it’s so easy, why hasn’t it been done? Like most big problems, the solution is simple but it isn’t easy. It’s been tried. Apple Pay and Android Pay are shining examples of secure cryptographic transactions done with a secure element and protected by a second factor of authentication. But the adoption rates are less than 5% for both of them. What happened?
Ingrained habits happened. Most people report that they’re happy with their payment method and don’t see the benefit of switching to a smartphone for payments. We’ve been using keys, cards, and passwords long enough to make them habits and habits are hard to break. If someone offers us an alternative that isn’t easier, we shun it. Why wouldn’t we? We’re creatures of habit and we tend to choose the path of least resistance. That’s why most people don’t turn on 2FA on their web accounts. No one wants to go through the extra step of typing a 6 digit code on top of their password every time they log in.
We won’t get consumers to adopt better security for the sake of security. We won’t even be able to get them to adopt better security by giving them a comparable experience. In order to get people to change their behavior, you have to offer a simpler and easier experience or the conversation is a nonstarter. Given the fact that typing a password, swiping a card, or using a key takes just a few seconds, beating the status quo from a user experience standpoint is a daunting challenge.
The light at the end of the tunnel is miniaturization. The billions of dollars that have gone into making your cell phone smaller have resulted in secure elements, fingerprint sensors, accelerometers, and Bluetooth modules that are mind-blowingly small. They are finally small enough to fit into a wearable device and that’s a game changer when it comes to user experience. A wearable can create an authentication experience that’s significantly easier than the status quo in ways that a carried device like a phone can never replicate.
- A carried device will always need to be retrieved from a pocket or purse. When you mindlessly reach for your pocket at a checkout lane, you’ll reach for your wallet, not your phone. But a wearable doesn’t need to be retrieved. It’s always at hand. That eliminates a step.
- A carried device also doesn’t know who’s grabbing it so that fingerprint check has to happen for every transaction that you do. A wearable is smarter than that. It can detect when it’s been removed so you only need to prove the biometric second factor once when you put it on instead of every transaction. That eliminates another step.
4 - Intent Driven
The moment that you decide to log into a website or unlock a door is called intent. When you communicate that intent to an authenticator through a gesture, you perform the ritual of authentication and authorize it to sign one challenge with its private key. That’s intent driven authentication.
The alternative is passive authentication, where the physical proximity of an authenticator is enough to authorize an action; intent isn’t needed or captured. A car smart fob is an example passive authentication. If the fob is present, the doors will open and the car will start. The lack of intent in this authentication model allows car thieves to capture and amplify the fob’s passive signal in order to start your car and drive away with it.
We’re also seeing passive authentication in BLE smart locks. They try to figure out where you are so they can unlock when touched if you’re standing outside and remain locked if you’re standing inside. If you have a room that extends beyond the front door this detection gets unreliable since they’re trying to infer intent instead of capturing intent. They do this because capturing intent for a lock that’s meant to be opened with a smartphone would create an experience that’s too cumbersome for people to ditch their keys: unlock your phone, open the lock app, click unlock.
A good authentication system captures intent and performs one authentication for each authorizing gesture it receives. In our quest to create good authentication systems, it’s important not to sacrifice intent for the sake of usability.
5 - Aggregation
The last important attribute is aggregation. We all have to prove our identity many times throughout the day. We do it when we buy something, log in to a website, unlock our car, enter our home, ride the subway, or enter our office. Each of these is a totally different authentication experience and each one requires you to carry or memorize a unique identity artifact. This itself is a burden. In trying to change these deeply rooted authentication behaviors, the last element that will be needed is aggregation. Being able to create a consistent, natural authentication experience across all authentication touch points throughout your day will be the final tipping point that gets people to change their behavior in exchange for better authentication practices.
Your credit card issuer, your access card manufacturer, and the financial websites you log into all care deeply about your security. They’re all working to bring you secure cryptographic authentication, but you’ll need to bend a little on your habits for this to work. Your brain simply can’t do the calculations needed to best a computer at the authentication game so we need to leverage the technology we have, along with the simplest user experience we can conjure, to beat the criminals at this. There’s no way we’ll be using misspelled words, plastic cards, and metal cutouts to prove our identity 5–10 years from now.
This is the part where I go from scientific exploration to shameless plug for the company Melanie Shapiro and I are building with our awesome team! We’ve created the first authenticator that possesses all of the above attributes. It’s an identity ring called Token.
- Uniqueness: Token has an EAL5+ certified secure element that’s also certified by EMVCo, MasterCard, Visa, HID, and Microsoft for meeting the stringent security requirements of each of those platforms to store their credentials on our device.
- Continuous 2FA: Token has a fingerprint sensor so you have to scan your finger as you put it on to activate it. It also has an infrared proximity sensor that allows Token to detect when it’s removed from your finger so it can lock the secure element back up.
- Usability: Authentication is significantly easier than the status quo. All transactions require just a single authorizing gesture to perform them. Our UX bar is that authentication should take, at most, 1–2 seconds.
- Intent: Token uses simple gestures, inspired by natural movement, to capture intent. For BLE transactions like unlocking your car or logging into a website, just knock twice. For NFC transactions like credit cards, access cards, and house keys, just hold your hand over the reader.
- Aggregation: We’ve been working tirelessly to build partnerships so we can ensure that we have a solid ecosystem around our product. When Token ships, you will be able to use it to replace your credit cards, passwords, house keys, car keys, access cards and passwords. We’re working with companies like Mastercard, Microsoft, Visa, HID, and the FIDO Alliance to ensure compatibility across use cases. Token will be the only thing you need for universal access.
We’re eager to bring Token to the world as a first step to fixing the authentication problem and ending identity fraud. But we’re just as eager to push this conversation, right here, into the forefront of public discourse. With all the media coverage we’ve had about cyberattacks, we want to bring attention to the solutions that are possible so we work together to define good standards for authentication.