In view of increased attention on information security and demands on strong authentication, ISR is creating a news column on strong authentication. We will select a number of relevant topics and aggregate news about what is happening in the industry. The digests are meant to be informative yet we hope to present the opinion and insights.
In our last post, A Revolution in Authentication, we pointed out that the authentication process of opening an office door with a physical smartcard or key is seriously flawed since there was no identity verification. We suggested that this could be solved by using biometric authentication applications on smartphones, which is also easier to use.
In this post, we will get into the details regarding the problems of password-based authentication, which most of us still use daily in their user authentication in local networks and online accounts.
The current password-based authentication system has serious issues with accuracy, user experience, and confidentiality. First of all, the password as the only information provided to the system is not sufficient and accurate to determine the identification of an end user. Biometric information of the user is far more accurate in identifying the right user. Secondly, the user experience is far from satisfying in a traditional authentication system that uses ID and password. The user is burdened to memorize multiple passwords for different services and probably renew them regularly. Using biometric information in authentication frees the user from having to hold multiple passwords. Last but not least, ID & Password based authentication is inherently flawed at its confidentiality. The most confidential thing in such an authentication is of course passwords. Unfortunately, these sort of breaches are reported almost every day. The reasons behind the password breaches are mostly of two kinds, the first kind has to do with technological issues, the second kind with the user not comply with administration or IT policy.
Regarding the technological issues, the vulnerabilities of IT systems and networks are causes of lots of password breaches. In a typical ID/password-based authentication, when a user uses password to login, he recalls the password which matches the one stored on the service. He types in the password and submit to the service, the service takes in his input and, if that matches what has been setup and stored, the service lets the user login and use the service. Passwords are commonly stored on the service side in encrypted formats. This sort of authentication method has been a standard among internet services since they are simple and easy to understand for the service providers and users.
However, things can go wrong all through this process. The user’s PC could be compromised with key loggers or memory overflow. When the password is transmitted through the internet, attackers could take advantage of the network vulnerabilities and wiretap. Attackers can also hack into the servers of the service and obtain the ID/password files, which could be in plain text or weakly encrypted. Anything goes wrong in this authentication defeats the confidentiality.
Regarding the issues with the end user itself, the user who has to retain strong password(s) for multiple services will mostly likely write down the password(s) on a note. Once he/she let other people see the note or lose the note, he/she loses password(s) to the services. This practice is commonly seen but poses high risk to confidentiality of ID/password-based authentication. The problems with accuracy, user experience, and confidentiality can be solved by implementing biometric authentications such as those based on the FIDO UAF protocol. In the next blog post, we will explain in details how FIDO UAF authentication works and cite the technical details.