Thursday , March 28, 2024

A Sell-By Date for Passwords

Technical advances in identification and authentication are finally establishing an alternative to the alarmingly insecure username-­password combo.

Owing to the increasing amount of digitization in all areas of life, secure identification and authentication are becoming more and more important. Particularly, the transfer of sensitive data such as payment transactions must be performed with as little risk as possible to protect retailers and consumers against the theft and misuse of valuable information.

While personal ID cards are recognized as a reliable identification medium in the analog world, the uncharted digital territory feels almost like the Wild West. In this world, the established combination of user name and password is comparatively insecure.

For clarity’s sake, let’s first talk a bit about identification and authentication. Many people use both terms synonymously, but they describe two different processes.

A Tedious Annoyance

Identification is when a person proves their identity to an authority or entity to which they were previously unknown. This occurs, for example, via conventional registration with an email address and password, which is sufficient for many services.

For more sensitive applications, such as payment transactions or banking, on the other hand, there are more sophisticated identification processes, such as Postident and WebID. These use significantly more complex methods to check whether a person corresponds to the identity he or she claims to have.

Authentication, on the other hand, involves recognition. After users have identified themselves and registered, they must then log in. For this and all subsequent uses, they must be authenticated. The usual pairing of user name and password entered during the registration are typically used for this purpose.

However, this method has been the focus of criticism for years. In contrast to other processes, it is relatively insecure—particularly when the user’s email address serves as the user name as well. It is often known by a large group of people, thus weakening the level of security. In addition, many customers consider password management to be a tedious annoyance.

As a result, instead of using complex letter and number combinations (ideally a different one for each portal), they often use an easily memorable code based on birth dates or family names, often comprising just a few characters. This type of weak password protection is easy to crack, thus presenting a high security risk.

While many companies, alliances, and even the government are working on solutions for secure identification and authentication, a standardized and generally accepted system has yet to be established. There are initiatives that exist or are emerging to try to ensure secure digital identification and authentication. Let’s explore these.

Guaranteed Authenticity

For 20 years, technology has allowed identification and authentication to be encoded asymmetrically via a private and a public key. The secure infrastructure described below, which is used for this purpose, relies on a certification authority (CA). The CA verifies public keys and issues digital certificates for them.

The key pair is usually generated on the device or smart card of the user. The private key always stays with the user, while the public counterpart, which has been signed by the CA, is submitted to the service for which the user is registering.

For the authentication, the service provider then sends the user a calculation, which they can solve only if they possess the private key. Only the service with the matching public counterpart is able to check the solution.

The central security element of the public/private key infrastructure is therefore the private key. The security provider issues it only in a protected environment. This may be, for example, a protected hardware sector in an iPhone. It signs the public key with a certificate authority.

As with the SSL certificate of a Web site, the certificate is verifiable for any outsider and is generally issued for the email address of the user. The authenticity, confidentiality, and integrity of messages are thus guaranteed. If the issuer of the certificate has checked and verified the identity of the user, the user can use it to sign documents.

With regard to hardware solutions for authentication, the point of sale is unique. The card terminal contains the certificate issued by a PKI, which is operated by the payment-service provider (PSP).

The PCI-P2PE security standard of the credit card industry guarantees that credit card data is transferred from the card terminal to the endpoint in an encrypted form, that is, directly from the POS to the payment-service provider.

This provider then decrypts the information in accordance with the PCI standards and transfers it to the acquiring bank. Retailers that integrate P2PE terminals encapsulate the payment data and significantly reduce effort for the PCI certification.

The FIDO Solution

To reduce reliance on passwords, the FIDO Alliance is working on establishing public and license-free industry standards for global online authentication. The nonprofit organization was founded in 2012 by Agnitio, Infineon, Lenovo, Nok Nok Labs, PayPal, and Validity Sensors. It has so far published the standards U2F (Universal Second Factor) and UAF (Universal Authentication Framework).

The first standard is a specified hardware and software combination for two-factor authentication, and the latter is a network protocol for password-free authentication. Once a product is certified according to FIDO standards, the provider can mark it with the trademark-protected FIDO-certified logo.

As with the PKI solution, FIDO uses a pair comprising a public and a private key. However, the duo is not created by a central entity and transferred via a secure container, but rather generated and stored on the device, for example, a smart phone. Specifically, it takes place in the FIDO authenticator, a protected software area in the phone. It supports various methods for user verification, which takes place every time the key is used, for example, via biometric methods such as iris or fingerprint scans.

Almost all operating-system manufacturers offer suitable interfaces. Google integrates this from Android M onward and Apple from iPhone 5s onward. Microsoft uses it for Windows Hello, launched in 2015. In all cases, the respective system manages the key pairs in a secure area of the phone’s hardware known as the trusted execution environment (TEE).

For Web services, FIDO is a convenient and secure option for authentication, which can be integrated easily using a FIDO server. With Web authentication, the W3C consortium (a body for the standardization of technology on the Internet) has adopted an authentication standard for Web browsers with a FIDO connection. This is already being used in Microsoft Edge, Google Chrome, and Mozilla Firefox, and is currently being examined by Apple for Safari.

The standard enables password-free authentication in the browser. Users can log into Web sites using their fingerprint or via face recognition, and are thus no longer reliant on the comparatively insecure combination of user name and password. Microsoft, Google, and Apple can use the API for smart phones and tablets with a fingerprint sensor (e.g., Touch ID) or face recognition (Windows Hello, Face ID). The biometric user data therefore remains in a secure area of the device, where it never leaves.

When used for e-commerce, the standard lets retailers offer their customers a biometric login when registering for the first time. As a result, users no longer have to worry about data theft if a hacker targets the database, since there are no saved passwords to be stolen. This also increases convenience, as they can easily make purchases with just their fingerprint.

Key players in this model are identity brokers. They hold no identities themselves and thus do not carry out any authentications. Instead, they are aggregators that combine various small identity providers into one unit. They also provide services that build on digital identities.

This market is currently experiencing a gold-rush atmosphere. Dozens of companies and startups are working on establishing themselves as central logins for Internet services. These identity brokers advertise to end customers as well as retailers and service providers. It seems unlikely that one of these players will win the race alone.

Setting the Course

Standards such as FIDO set the course for future business and government communication without passwords. Google, Huawei, Intel, Lenovo, Microsoft, Samsung, and others are working on aspects of functionality and convenience. In e-commerce, biometric authentication improves both convenience for consumers and security; e.g., when avoiding account takeovers.

However, market developments show one thing clearly: the reign of passwords is coming to an end.

—Ralf Gladis is a founding director at Computop, a global payment-service provider based in Bamberg, Germany.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions