Risk
5/16/2013
03:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

The Future Of Web Authentication

After years of relying on passwords, technology vendors -- and enterprises -- are ready for new methods of proving user identity.

Tie It All Together With A Long Leash

The approaches vying to replace user names and passwords aren't mutually exclusive. With some integration work, multiple forms of authentication, such as mobile biometrics and a federated identity, could be tied in with a framework like OAuth to make it easy for people to sign on to all their online accounts.

But there are so many pieces to Web authentication that some sort of pattern is needed to keep things from snarling. It will be tough to do, but a number of coalitions and nonprofit brain trusts are working on it.

Jericho Forum's Simmonds and a consortium of U.K. security colleagues are trying to create technology that's similar to OneID through anonprofit called the Global Identity Foundation.

This group maintains that there's no good way for people to assert their identities online. It supports building a stronger identity foundation by identifying and enrolling a user's core identity in a system on his computer, and then breaking up user attributes into contained personas. So, for example, one persona might be related to a person's login information to a social media site, and it would only contain attribute information around the user's online handle and email address. The same person's "citizen" persona would handle login information for government sites and might have attributes such as Social Security number and voter registration information. A retail account may have attributes such as credit card information.

The ideas is that core identity information is encrypted on the user's system, and something like biometrics technology must be used to unlock the appropriate encrypted information. When a person wants to make a transaction, that system would connect with the online server and only offer information within the personas that are relevant to that online system -- so an online purchase may be able to pull from the citizen and retail personas, but posting on a social site could only pull from the less-risky social persona.

"The bad guys can't spoof it," Simmonds says of this type of distributed system. "So even if they take the identity, they can't assert it because they don't have the crypto components that go with it, because you hold those yourself."

On another front, a newly formed group called the Fast IDentity Online, or FIDO, Alliance is trying to tackle Web authentication by creating a comprehensive open architecture specification designed to act as the glue between technology built into devices, strong-authentication devices and software, and the relying parties' server infrastructure. This group wants to create a platform for FIDO-enabled devices to provide interoperability between all the products that make up the authentication ecosystem.

"It's standard plumbing," says Dunkelberger of Nok Nok, a founding member FIDO. The alliance hopes to standardize the way relying parties enroll users and their devices, and provide a standard way to inventory devices to find out what FIDO-enabled authentication elements -- such as software tokens, fingerprint readers, cameras and microphones -- they contain.

Such a spec tells the back-end system, "Here's all of the elements you can use to establish a multifactor connection to this person and device," Dunkelberger says. Then it enrolls the user and provisions the encryption keys on both sides for the challenge-response. "And it does it in a standard way, regardless of authentication, regardless of single sign-on, regardless of any of those things," he says. "Everybody wins because we're not out there goring anybody's ox. We don't pick winners on any of those things in the stack."

chart: Convenience: Wins What are your top two reasons for using a multipurpose identity credential that's accepted by many organizations?

FIDO solves the problem of relying parties being unable to trust users' endpoint devices because they don't really know whether there's malware on them or other issues, says Anderson of Lenovo, which is also a founding member of the group. The open architecture provides a trusted authentication method that can work with assurance on any device, so fingerprint readers, for instance, can be tied in to verify that the right person is accessing the right machine and the right process, he says.

Most important, the open architecture can be adopted across the industry and not just by those with deep pockets, says Michael Barrett, CISO of PayPal, who's also FIDO's president.

PayPal can manage quite well using advanced risk-based authentication systems, Barrett says, but most companies aren't able to develop highly sophisticated options. "The clear mandate for the FIDO Alliance is to make the Internet a safer place for everyone by enabling the development of an ecosystem," he says, "which fosters authentication that's simultaneously easier to use than user IDs and passwords and stronger for relying parties."

Whether it's FIDO or something else, this is the combination necessary to attain the Web authentication holy grail. Tomorrow's authentication option must be more effective than today's passwords -- and as easy, and hopefully easier, to use.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
6 of 6
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Apprentice
5/21/2013 | 12:41:17 PM
re: The Future Of Web Authentication
"nobody knows you're a dog"
the other 'Net quip is that the Internet is a Fools' Paradise
perhaps so, but that aside there are a lot of not so nice folks out on the net. which is why it is essential to remain anonymous unless the connection has a legitimate need for a real ID such as online shopping.

and NO advertising sites do not fall in that category.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web