Authentication: a Compromise Between Price and Security

In a previous article, we talked about the main processes that occur in computer systems when a user connects to them. The person “introduces self”, the service “recognizes” the person, then checks the access level and allows performing any actions with the data. In this article we will focus on the user authentication process.

Recognition of a person by a computer system is one of the most important stages in the interaction of services with its users. The familiarity of this process should not be misleading: no third party should be allowed into the door that this key opens. Digital services are a big part of the life of any person after all.

The compromise

Any mechanism that controls access is a compromise between reliability, security, convenience, and complexity (and, therefore, high cost) of implementation. Theoretically, it is possible to make a user's connection to a computer system extremely reliable and safe at a level close to 100%. However, the complexity of this mechanism will be completely unacceptable for mass application.

Over time and with the development of technology, authentication is still becoming more and more complicated. Earlier, when electronic systems just appeared, the most difficult for their users was remembering passwords or access codes. However, now that there are a lot of computer services, a person has to navigate in the world of different authentication mechanisms. It is good that they have similar rules and are built on some basic principles that can be identified and sorted out in their strengths and weaknesses.

I know

The first principle is to identify the user by some secret data known only to him. The system recognizes the person who introduces self to it and enters personal information: password, PIN, a code word. This type of authentication is clearly weak. In fact, a system that authenticates a user with a single password equals a person and the set of characters. In this case, the password is both access to confidential information and the authority to manage personal affairs, which means that the password is a specific person.

Password protection is weak because the character set figured out, stolen, intercepted. Simple passwords that can be found out by displaying personal data include names of family members, pets, dates of birth, favorite dishes, names of sports teams or groups. The worst problem with passwords is that many people use the same combination of characters to access a wide variety of services. An attacker, having received a password from one service, will be able to connect to others.

I own

A more complex and reliable authentication method is when a user shows a system an object that is only he physically possesses. Naturally, electronic services cannot use any rare thing for this purpose — it must have an electronic “stuffing”.

Typically, these are storage media: flash drives, cards with a chip, special devices with secure memory. Such devices contain electronic cryptographic keys, certificates, programs that start the exchange of information with the access mechanism to the service.

This method is good for everyone, but it is quite expensive and cannot be applied in mass systems. In addition, an outsider may take possession of such an electronic key. This will be a classic theft or robbery, but the possibilities that will eventually be open to the offender often far exceed the profit from theft, for example, some jewelry or wallet.

For a computer system, a specific person is already an electronic device, the user who inserted the flash card into the computer connector. This person receives all personal data, rights and authority to act in the service. The system cannot distinguish that person from an outsider.

I differ

The more technological and modern method of user authentication is the verification of biometric data. Here, electronic systems are already very close to identifying a specific person: according to characteristics, physical parameters that are available only to this individual or rarely similar in different people: the technology of a fingerprint or an iris of the eye is quite widespread already. The same list contains authentication methods for ear shape, DNA, face, gait, voice.

The point is that the computer system is trying to recognize a specific person without the use of additional codes or devices, according to deeply individual characteristics. And this seemingly almost flawless authentication technique actually finds a lot of weaknesses and shortcomings, starting with the most common ones — fakes. There are experiments of hacker groups and security experts in which they easily fool modern biometric systems by showing them photos from a printer or fingerprints taken using ordinary adhesive tape.

Another problem is theft and loss of control over biometric data. When such data of a person becomes accessible to an outsider (as a result of scanning, falsification or other means) or a group of persons (for example, on the black market together with the numbers of stolen bank cards), the victim of such a leak will no longer be able to easily change neither data nor password — the consequences are disastrous.

Multi-factor authentication

A logical solution to the authentication security problem is to use several methods of user verification. This is done by a combination of different technologies (for example, password protection and biometrics) or by requesting additional codes through other verification channels. Two-factor authentication technology is widespread since about the beginning of the tenths of the XXI century. The user enters the familiar combination of login and password, and the system sends him or her an additional code in response via another communication channel.

The popularity of this technology has made the inquisitive minds of attackers find its weaknesses. Cellular communication is not the most reliable channel for transmitting secret data, which in the case of two-factor authentication is a confirmation code sent by the system. For a criminal who wants to gain access, for example, to a victim’s bank account, creating conditions for intercepting SMS from a bank is just a matter of price. Equipment for this purpose is quite expensive, but if the profit exceeds costs, then why not?

Another problem with SMS is that modern users most often connect to services using smartphones, to which they also receive secret numbers for access. It turns out that the initial condition, the separation of authentication channels, is not fulfilled. If any malware that intercepts a connection to any system is installed on the victim’s phone, then it can easily read data from SMS. The process of switching many services from confirmation codes in SMS to push messages is related to this problem. The service sends and receives in the application via encrypted Internet channels, using modern cryptographic technologies such as TLS.

There are still many technologies, or, as they are called, authentication factors: by geographical location, by one-time codes and others — we listed only the most common.

Global authentication

The solutions that exist now demonstrate the same compromise between the cost, convenience and security of authentication systems. Users are not scared off by complicated process, it doesn’t cost much, and the level of protection allow to eliminate the most obvious threats.

However, there is a concern that soon most problems will be resolved, and this solution will come from an unexpected source. With the proliferation of high-speed networks, with an increase in the coverage of the Internet of Things, the complexity of artificial intelligence systems and the combination of all these factors, something similar to global authentication will eventually appear.

Each of the members of society will be constantly identified, its profile will become universal for many systems, and authentication factors will be complex and will include all the information that a person generates throughout life. And then we will have completely different problems. Which ones? We'll probably find out soon.

Image courtesy of The Next Web