The consistency with which data breaches occur and the speed at which personal information is compromised is a huge problem for the smooth functioning of business and the government.
It is a constantly recurring theme. The news of the theft of half a million user accounts from Yahoo, says Brian Spector, the CEO of security vendor Miracl, suggests that this could be the straw that leads organizations to really change their approach. At least he hopes so.
“Is the Yahoo! breach what finally causes the U.S. government to intervene on behalf of protecting people’s identities online (as we've seen in the EU with PSD2)?” wrote Spector in response to questions from IT Business Edge. “To date, there’s been over a billion user identities stolen as a result of current security processes and paradigms failing.”
Spector suggests that an antiquated approach to authentication is responsible for a lot of the trouble. Today’s version of authentication, in this view, simply doesn’t work. The problem is that the response in essence has been to put a band-aid on authentication. Adding a second authentication factor, such as iris scanning, isn’t a long-term solution, Spector feels. The real fix is to fundamentally change it.
The problem, according to analyst Jack Gold, the principal of Gold and Associates, is that digital certifications between the user and the website can be altered, forged or otherwise adjusted to fool the organization and lead it to attest to a phony site’s authenticity. And, as the saying goes, we’ve all seen how that movie ends.
Spector has another way: He feels that the proper approach is to cleverly apply authentication in such a way that the full digital certificate – the thing that really proves that the person visiting a site is the right person and that the site is legitimate – is a sort of call and response between the two parties.
Exploring Zero-Factor Authentication (ZFA)
The answer, according to Spector, is a clever approach called zero factor authentication (ZFA). A user downloads Miracl’s app into their computing device and establishes a PIN. When that person asks to log into a site, the PIN is used by the app to generate part of a cryptographic key. The site than asks the app if that partial digital cryptographic key that was just created matches the one that is on file for that user. The important element is that the actual key is not transmitted – just the news of whether the key created in the app matches the one held by the website. If the answer is that it does match, it is plugged into the rest of the cryptographic key, which is also securely stored and would not be available to a bogus site. If those other parts of the cryptographic key prove to be accurate, the person gains access.
The idea appears to avoid the weakest links in current approaches to authentication.
“I think it is an important development in authentication processes and has the potential of saving companies time and money if they can implement it effectively,” wrote analyst Tim Bajarin, the president of Creative Strategies in response to questions by IT Business Edge.
The approach means that the dangers of attacks during the authentication process are eliminated, according to Spector.
“Zero-Factor Authentication provides a truly secure way of verifying the identity of a user into a web or mobile service since it does not require verification against a centralized database of credentials (which can be compromised through man-in-the-middle, or direct, attacks),” Spector wrote. “This means that a company's single-largest cyberthreat (the user name/password database) is eliminated entirely along with the security infrastructure that has been built around it for protection of this vulnerable legacy asset.”
Gold said that Miracl’s approach is “interesting…but how big a deal remains to be seen.” A big challenge the company faces, he says, is that it entails a significant infrastructure transition. This is costly and would cause the usual engrained resistance to change.
Bajarin sees the same challenge. “[I]t would need a change of mindset in how companies implement authentication but if Miracl is effective in showing the ROI and how it saves time, then it could be worth it for any company to consider this new way of simplifying the authentication process,” he wrote.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.