By Tim Moses, Senior Director of Advanced Security Technology, Entrust
2013 confirmed for us what many had long suspected about government surveillance — there’s not just surveillance by repressive regimes around the world, but also by of extremely well-resourced and well-positioned intelligence organizations in the “free world.” Other revelations have taken even the most cynical by surprise. Many who constantly monitor threats to privacy and civil liberty have expressed outrage at the breadth of these activities and the ineffectiveness of the oversight mechanisms intended to keep them in check.
The Internet has become indispensable in so many aspects of our lives, that living without it is now unthinkable to most companies and individuals in the developed world. Yet our confidence in the integrity and security of this essential resource has been shaken. Unless something is done to restore that confidence, many societal benefits of the digital age could be lost to us.
The threat landscape has changed; it now contains a threat agent with resources that, while not fully understood, clearly go beyond those contemplated by the designers of today’s information systems. Those resources are routinely deployed against dissenters, law-abiding citizens and friendly governments, and these recent revelations will inevitably bring about a change in their behavior. Many of the protocols that we routinely rely upon to secure our identities on-line are no match for such a threat.
Online identity authentication is a confused landscape of disparate schemes, necessitated by the fact that communication protocols have never been designed from the ground up with security and privacy as requirements. System designers are forced to resort to solutions assembled from a heterogeneous set of ill-fitting components.
So, what properties do we expect to see in an authentication ecosystem that can stand up to the new threat environment? It must have a verifiably trusted human interface, so that users can be certain that they are providing their private information to the correct process, and they can be assured that it will be treated securely throughout its lifetime in the system.
There must be no need for the recipient to handle or store any private user information associated with authentication of that user. Communications must be secured end-to-end, in order to prevent a man-in-the-middle attack. The authentication event must be strongly bound to the session or transaction that follows, in order to prevent session riding. False acceptance and false rejection rates must be acceptably low, in order to prevent impersonation attacks and make the authentication ceremony acceptable to the user. And authentication events must be unique, in order to prevent replay attacks.
Authentication mechanisms in common use today clearly fall short of this ideal. Techniques used to prevent users from choosing weak, long-life passwords just encourage password re-use, so that the security offered by every service provider reverts to the level of security offered by the least secure provider with whom the user shares the password.
OTP tokens don’t provide end-to-end security. Knowledge-based authentication relies on secrets that may be easily obtained by an adversary. Browsers can be easily subverted by malware and phishing attacks. Passwords reset over unsecured email can be exposed to system administrators.
Each of these techniques are protect against some adversaries, but none of them can withstand an attack from a determined nation state.
It may be decades before the situation is righted, but the process has started. Protocol designers are revising their threat models and stronger online identity schemes will emerge and achieve cross-platform adoption. The health of our digital economy depends upon it; not to mention the human rights of dissidents and the moral authority of the West to promote its values in countries where new governance models are sought.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share his or her unique insight into what lies ahead. During the month of January, these panelist’s predictions are published at SecureIDNews.