With thousands of cloud services proliferating the Internet, managing identity becomes a real challenge for most of us. Each provider has its own user and password policy. For a human being, it’s almost impossible to safely record dozens of login credentials. Most people try to keep a maximum of three or four passwords. The consequence of this approach is obvious; if someone stole your information for one service, they would probably compromise your identity for several others.
Solutions to solve this problem are not new. Microsoft tried to implement a web Single Sign-on with Passport (now called Windows Live ID). To compete with Microsoft, Sun Microsystems launched the Liberty Alliance with the goal of creating a de facto standard for Internet web applications. Unfortunately, both initiatives had limited adoption and now both applications are almost dead.
A few years later at the RSA conference in 2006,Bill Gates gave a keynote on the end of passwords for the Internet by using CardSpace (i.e. InfoCards), which was introduced with Microsoft Windows Vista. However, five years later, just a few services on the Internet have adopted the “standard.” In fact, it is really hard to change user behavior. Nowadays, users access their services from several devices such as PC at the office and home, smartphones, tablets, TVs, etc. That contributes to a low-rate of adoption for CardSpace.
Passport/Liberty Alliance and CardSpace were designed for user convenience, but in reality didn’t increase the security level. There are valid concerns from service providers, which can lead to low adoption of these technologies. This is the reason why most Internet Banking systems around the globe never adopted it. Instead, banking systems added mechanisms to confirm user identity, while at the same time providing ways for users to utilize web-based services.
Usually, a user has a login and password as authentication, but it’s not enough to guarantee the user’s identity since his or her credentials could be stolen. Some efforts have been made to protect users against this kind of attack. For example, today many financial institutions use virtual keyboards that change the position of the numbers and letters with each new access.
However, attackers can potentially circumvent this process by adding the capability to take screen snapshots at every mouse click. An improvement from this basic approach would be to put together two characters in a single button, as shown:
It increases the security, but not for a long time. The more you use this interface and the character clusters change; the attacker can gather more data and more clues about your password.
Therefore, adding a second factor for authentication (i.e. two-factor authentication) can improve security and mitigate attacks of a stolen login and password. To make it work, the system should be beyond what the user knows (login & password) and incorporate into the system what the user has (e.g. One-Time Password token – aka OTP).
However, giving something to a user is not an inexpensive approach. There are many logistics to deploy and maintain a solution like this. There are many technologies out there that companies can use. One of the cheapest methods available is token table. Token table is a rudimentary OTP challenge/response solution where the service not only provides a login and password, but also a request for the user to insert, for example, the code 10 of his token table.
I can’t say that this method is ineffective, but of course it has its limitations due to the nature of limited number of codes, easy to scan, etc.
Some Internet Banking services useOTP tokens. OTP tokens are six-digit codes that are time-based. You press the button, and the token that generates is valid for a period (i.e. usually 1 minute). As you can imagine, it’s not a cheap solution, and from a user’s perspective, it doesn’t scale. Take my own example: I have an account in two different banks. Each bank offered me these tokens. Can you imagine one for each bank, one for Facebook, one for Twitter, one for Amazon, etc.? In the end, l would carry dozens of these tokens…this is not an effective approach, and it is not convenient for users.
There are a variety of solutions out there. Facebook and Google adopted an approach that uses mobile phones to retrieve a password or unlock an account. Some banks even use a similar approach to authorize a transaction. This approach relies on a third party device to attest user identity but at the same time it does not use a reliable media — SMS is not very reliable (at least not worldwide).
In order to unify and simplify this process this year Intel launched an initiative called Identity Protection Technology (IPT) which is an umbrella for a number of building block components such as OTP authentication embedded into the chipset. By developing this imitative and centralizing the technology in a single device the user uses to access their services we will be able to decrease the concern around men-in-the-middle or men-in-the-browser style attacks.
There are many solutions to the identity issue. From a service provider standpoint, the most pragmatic approach may be to adopt many technologies to support authentication to provide the least path of resistance and hassle for the user. For example, I hate the idea of carrying an OTP token.