03:30 PM
Connect Directly
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Tie It All Together With A Long Leash

The approaches vying to replace user names and passwords aren't mutually exclusive. With some integration work, multiple forms of authentication, such as mobile biometrics and a federated identity, could be tied in with a framework like OAuth to make it easy for people to sign on to all their online accounts.

But there are so many pieces to Web authentication that some sort of pattern is needed to keep things from snarling. It will be tough to do, but a number of coalitions and nonprofit brain trusts are working on it.

Jericho Forum's Simmonds and a consortium of U.K. security colleagues are trying to create technology that's similar to OneID through anonprofit called the Global Identity Foundation.

This group maintains that there's no good way for people to assert their identities online. It supports building a stronger identity foundation by identifying and enrolling a user's core identity in a system on his computer, and then breaking up user attributes into contained personas. So, for example, one persona might be related to a person's login information to a social media site, and it would only contain attribute information around the user's online handle and email address. The same person's "citizen" persona would handle login information for government sites and might have attributes such as Social Security number and voter registration information. A retail account may have attributes such as credit card information.

The ideas is that core identity information is encrypted on the user's system, and something like biometrics technology must be used to unlock the appropriate encrypted information. When a person wants to make a transaction, that system would connect with the online server and only offer information within the personas that are relevant to that online system -- so an online purchase may be able to pull from the citizen and retail personas, but posting on a social site could only pull from the less-risky social persona.

"The bad guys can't spoof it," Simmonds says of this type of distributed system. "So even if they take the identity, they can't assert it because they don't have the crypto components that go with it, because you hold those yourself."

On another front, a newly formed group called the Fast IDentity Online, or FIDO, Alliance is trying to tackle Web authentication by creating a comprehensive open architecture specification designed to act as the glue between technology built into devices, strong-authentication devices and software, and the relying parties' server infrastructure. This group wants to create a platform for FIDO-enabled devices to provide interoperability between all the products that make up the authentication ecosystem.

"It's standard plumbing," says Dunkelberger of Nok Nok, a founding member FIDO. The alliance hopes to standardize the way relying parties enroll users and their devices, and provide a standard way to inventory devices to find out what FIDO-enabled authentication elements -- such as software tokens, fingerprint readers, cameras and microphones -- they contain.

Such a spec tells the back-end system, "Here's all of the elements you can use to establish a multifactor connection to this person and device," Dunkelberger says. Then it enrolls the user and provisions the encryption keys on both sides for the challenge-response. "And it does it in a standard way, regardless of authentication, regardless of single sign-on, regardless of any of those things," he says. "Everybody wins because we're not out there goring anybody's ox. We don't pick winners on any of those things in the stack."

chart: Convenience: Wins What are your top two reasons for using a multipurpose identity credential that's accepted by many organizations?

FIDO solves the problem of relying parties being unable to trust users' endpoint devices because they don't really know whether there's malware on them or other issues, says Anderson of Lenovo, which is also a founding member of the group. The open architecture provides a trusted authentication method that can work with assurance on any device, so fingerprint readers, for instance, can be tied in to verify that the right person is accessing the right machine and the right process, he says.

Most important, the open architecture can be adopted across the industry and not just by those with deep pockets, says Michael Barrett, CISO of PayPal, who's also FIDO's president.

PayPal can manage quite well using advanced risk-based authentication systems, Barrett says, but most companies aren't able to develop highly sophisticated options. "The clear mandate for the FIDO Alliance is to make the Internet a safer place for everyone by enabling the development of an ecosystem," he says, "which fosters authentication that's simultaneously easier to use than user IDs and passwords and stronger for relying parties."

Whether it's FIDO or something else, this is the combination necessary to attain the Web authentication holy grail. Tomorrow's authentication option must be more effective than today's passwords -- and as easy, and hopefully easier, to use.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

6 of 6
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web