With the exploding growth of cloud-based applications and services, portable Internet connected devices such as netbooks, tablets, and smartphones, wearable technology and IoT devices play an important role in how we work, live, play and interact socially. While digitalization of every aspect of our lives allows for remarkable feats in communication, collaboration and productivity, the reliance on digital technology paired with insecure authentication systems leaves users and online services exposed and vulnerable.

Problems associated with digital identity and transaction security have caused serious challenges and risks to both providers of online services and their customers. Digital identity has been widely recognized as the most consequential attack vector in today’s cybersecurity landscape and one of the key threats for the modern digital economy. The increase in identity theft and the resulting financial and reputational damages have become major obstacles that need to be overcome to ensure a secure digital future, and to maximize the benefits and value of online services.

In a global economy with trillions of logins and digital transactions carried out daily over insecure, public networks, identity protection becomes the most consequential safeguard against cybercrime. Online transactions are based on the trust that each party places in the integrity of the other’s credentials proving their identities.

There are two key issues faced by today’s digital world. First, existing authentication approaches are weak. Second, a multitude of online service providers force users to create separate online identities and credentials with each service, imposing a substantial burden on users. These issues combine to leave both users and service

The Internet was Built for Sharing, Not for Security

The most prevalent, and oldest, form of authentication is the password. The password is a shared secret that is known by both the user and the authenticator. The authentication model is simple; the user transmits their identity claim (username) and their password to the authenticator. The authenticator compares the received password against its own copy that it has on file. The password model is widely recognized as being inadequate and vulnerable to many easy attacks, such as theft, phishing, interception and brute force guessing. To try and mitigate these risks users have been forced into using such strategies as having a unique password for each service, frequently changing passwords and using complex passwords. The development of password manager applications and online password manager services improved the management situation for users, but it did not move the authentication yardstick forward.

The deficiencies of the password model led to the development of multi-factor authentication (MFA) approaches, which aim to mitigate the vulnerabilities of password authentication by increasing the number of shared secrets and decreasing their validity period. The most common form of MFA is two-factor authentication (2FA), in which a user provides two means of identification, one being the traditional password and the other typically based on possession of either a physical token (such as a USB device) or an out of band channel (such as SMS). Typically, these factors are not provided simultaneously, but provided sequentially in a multi-step process.

Although the multi-factor/multi-step model increases the difficulty of attack it is still based on the fundamentally flawed shared secret model, which it augments by adding additional flawed mechanisms. Since the additional factors are not themselves secure, an attacker only needs to gain access to, or the ability to intercept/ forge, the second factor(s), to defeat the authentication system. Two factor/step approaches are perceived as cumbersome by users and have already been defeated in the wild. Adding more factors/steps makes the attack increasingly more difficult, but it guarantees nothing and makes the authentication process increasingly cumbersome for users. The more cumbersome the process, the more likely users will, either purposefully or inadvertently, compromise it seeking to make it more convenient to use.

More recently, digital signature challenge-response authentication systems have been appearing. In these authentication models, the user possesses a signing key and the authenticator possesses a verification key. When authentication is required, a challenge is issued by the authenticator. The authenticating device signs the challenge with the signing key and sends the signature back. The authenticator then validates the signature using the verification key. If the check passes, then the user is authenticated. This digital signature challenge-response model is a significant improvement over previous approaches in that the secret (the signing key) is not shared or transmitted. However, for the authentication result to be trustworthy, the user must keep the signing key a secret. This is where most other authentication systems fall short; the secret signing key is typically stored on the user’s device, where it continues to be vulnerable and susceptible to undetected theft or replication.

Are You Who You Say You Are

All of the previous authentication approaches suffer from the same fundamental flaw, which is that they are based on Proof of Possession—the authenticating user only need prove that they know a secret or possess a key. Because secrets and keys can be stolen or replicated, the user presenting them may not be the user to whom they were issued.

idQ Enterprise solves the “Are you who you say you are?” problem by introducing a Trust Relationship paradigm which ensures Proof of Identity—only the user to whom a credential was issued can successfully use it to authenticate.
The idQ Enterprise Trust Relationship combines cryptographically strong digital signature-based challenge-response authentication with inBay’s patented Zero-Key Authentication technology. Unlike traditional digital signature-based challenge-response authentication systems, what is being verified by an idQ Enterprise authentication is not whether or not the user possesses the signing key (since they do not), but whether the user is the person to whom the signing key was issued.

inBay’s Zero-Key Authentication technology ensures the secrecy of the signing key by never storing it anywhere and inBay’s proprietary cryptographic Trust Relationship Algorithm ensures the authenticity of the signing key because only the user-device combination to whom it was issued can successfully recreate the key when it is needed.

Trusted Access: I Am Who I Say I Am

Traditional authentication systems are analogous to giving users the key to your door. If somebody has the key, or a copy of it, the use of the door is invalid. All that is being authenticated is the key, not the person who is using it.

inBay’s Trust Relationship paradigm brings the user back into the authentication process, like having to present photo ID to get in the door. With idQ Enterprise Trusted Access gives you the assurance that the person presenting the authentication credential is actually the person to whom it was issued.

Leave a comment