When presenting or more often representing yourself online to a service, how do you prove that you are you?
It’s an age-old question that software designers first asked themselves 60 years ago. Back then, long before sophisticated identity thieves roamed every network on earth, the first answer was fairly simple.
It came down to a sequence of a few keyboard characters you knew that others didn’t know. The password was born.
Flash-forward through time, across the PC revolution, the Dot-Com boom and bust, the rise of social media, across dozens of hype cycles and all the ever-faster-accelerating technology advancements -- to today.
We now have ubiquitous cybercriminals and perpetual cyberwarfare among nation-states. Cunning and malicious actors are constantly trying to impersonate you online. When they pose as you, how do you best foil their plans?
Exploring the problem is fascinating.
Over the decades, attackers and defenders co-evolved. As technology advanced, various solutions from multiple vendors in the authentication space emerged from the co-evolutionary forces. Standards such as SAML, OAuth, OpenID Connect, FIDO, WebAuthn and others arose as vendors cooperated and competed.
Yet, as you scrutinize solutions, you find that legacy players in authentication as well as some flashy upstarts have tended to cling to a very simplistic binary view. You might see some upgrading of underlying verification techniques such as using a certificate instead of a password.
But overall, vendors kept treating authentication as a singular binary event.
Meanwhile, with painful 2020 hindsight, it’s crystal clear that attackers kept upping their game. Let’s examine how the current situation developed, and then what to do about it.
Over time, the process of verifying an identity improved with multi-factor authentication. MFA provides stronger security than a password by itself. By requiring the presentation of more than just something you know like a password or your mother’s maiden name, it increased the effort-level for the attacker. Unfortunately, security questions also added more friction to your user experience.
You might also present something unique you have in your possession that no one else has. Going back a few hundreds of years, if you were visiting a castle, your hosts at a gate might rip a piece from a fresh sheet of paper down the middle and hand you half. Later when passing back by that gate again, they would match up the two pieces. Because paper tears in a chaotic, unpredictable way, it was hard to forge a match. In our software systems, we add entropy based on randomness to achieve a similar effect.
In the past decade or two, you might have acquired and carried around a physical object that emits specially sequenced numbers that are designed to be unpredictable to an attacker. In the mid-2000’s, I used to carry a little dongle from RSA on my keyring that did exactly this. Today, these devices have largely dematerialized into our mobile phones within apps related to our various online personas.
You could also use a sensor that reads some characteristic pattern about your physical body that makes you unique, such as a fingerprint, retinal scan or facial scan. The device can then present some of your unique biometrics during the authentication process. Twenty years ago, you might have had to buy a separate USB fingerprint reader. Today, most of the latest laptops and phones have built-in biometric sensors and the sensors are supported by all the major operating systems.
Game-changing technologies have also come along to substantially enhance authentication, the impact of which may not have been fully understood prior to their arrival. In 1993, the GPS satellite system worked, but only for the US military. Then GPS became open to the rest of the world in 2000. Today, GPS services come with all modern mobile phones. So, now while you are authenticating, it’s relatively easy for you to also present where you are.
On the whole, it was a good idea to combine different factors, and legacy MFA worked for a while on this premise. The trouble is that all of these factors in an MFA are potentially spoof-able by an attacker. Let’s look at what can happen:
- Passwords Get Breached. Attackers might know your password because data breaches of passwords happen constantly, with plenty of examples in sites like https://haveibeenpwned.com/. According to the ‘assume-breach’ paradigm, you’re likely better off assuming that all your passwords have already been breached. This is because, regrettably, it’s probably true. It could also become true tomorrow or in the next hour or next minute - whenever the next breach is discovered and revealed to you. As SolarWinds has clearly shown to thousands of victims, you might later discover that you were indeed breached at a time when you didn’t think you were. This is why it is imperative to assume the worst case and adopt a zero-trust mindset when thinking about your security.
- Secrets Get Revealed. Attackers might find your mother’s maiden name and answers to so-called security questions by using social media or looking up government records about you with ease. Maybe you were careful in how you set up your social media presence. Perhaps a family member or a friend was not. Recall that Facebook used to allow anyone who took a silly poll to leak data about all of their contacts. (Remember Cambridge Analytica?) Today, you can’t even join the trendy Clubhouse service without sharing all your contacts with their app.
- Codes Get Intercepted. Attackers might intercept those time-sensitive one-time password TOTP codes that get sent to you via SMS, or that you copy from a physical device or an app on your phone. SIM-swapping is still plaguing the industry. Phone numbers get ported to attackers every day without the consent of the legitimate owners. Your phone number could be the next one ported.
- Targets Get Located. Attackers might also know where you are, either from direct surveillance or from observing your network traffic from afar. So, attackers can spoof your current GPS coordinates when they present as you.
Indeed, it can be a rough world out there. It’s fair to say not everyone has your best interests in mind, and it’s wise to reflect on this once in a while. Even if you live in a relatively safe neighborhood in the physical world, world-class attackers are always just one hop away from you in cyberspace.
Knowing this, do we just give up on effective authentication? No. But, before we discuss modern solutions, you have to also realize that the situation is actually even worse, in multiple ways! Let’s look at some.
Safely Persisting Biometrics
When a fingerprint reader reads your fingerprint, the image is processed and digitized. That data representing a piece of you might end up on a network where an attacker can intercept it, or in storage where an attacker can steal it. The attacker can then later present the biometric data as if they were you – and this attack vector will be there for the rest of your life (as long as biometrics are still in use). At least you can change a password. But you generally cannot change your unique biometrics. This makes the care and safeguarding of biometric information a very critical security requirement. Yet in practice, biometric-based systems often fail to achieve the level of security they deserve in both design and implementation. Biometric data in transit or at rest is often left vulnerable. I have seen this first-hand in my own software career, unfortunately more than once.
Invasions of Privacy
Your privacy is being invaded to a certain degree when you encounter an authentication system that tries to read a biometric or determine your GPS coordinates. However, we live in an era where attackers, private businesses and government agencies are already surveilling you to various degrees every time you go online or go outside your home. Cameras are omnipresent, especially in large cities, continually recording your presence. You might wear a mask due to a pandemic, but your walking gait can identify you. And surveillance technologies to gauge your height, weight and gait keep advancing. We all go through x-rays at all airports now. Our highways have both x-rays and license plate readers. Our front doors have cameras on them, with video being sent to the cloud which might later be accessed by law enforcement. The satellites are always watching from the skies. So we have to understand privacy in the context of our times, including how we can now use all this collected data about ourselves to our advantage against identity theft and account takeovers (ATOs).
Denial of Service
If an attacker constantly tries to log in as you using different password / MFA combinations, they might quickly cause your account to get locked. With a locked account, you typically have to try some alternate, more cumbersome technique to get back in - which sometimes includes talking with an actual other human being. When we introduce humans into authentication processes, the Customer Support teams can get lazy. And attackers have become very good at social engineering, including convincing helpdesk staff that they are you. (Note that Social Engineering is a skill openly taught at Blackhat, DefCon and other security conferences. See this video for a stunning example of attacking a support desk to gain access to a victim’s phone and email within 30 seconds. Also see Kevin D. Mitnick’s book The Art of Deception for several chapters full of examples of techniques he famously used for years to gain unauthorized access to systems.)
While you might get used to the chronic pain of dealing with these multiple authentication factors, traditional passwords and legacy MFA also regularly drain your brainpower and add unnecessary stress to your life. You might find the following internal dialogue somewhat familiar:
- What was that password I last used on this system?
- Why is the password reset email taking so long!? (Refresh. Nope. Refresh. Nope. Rinse. Repeat for several minutes to several hours.)
- What ‘tricky’ answer did I previously give to that question about my high school mascot? Did I give a different answer to this service vs. the other services?
- Where did my RSA dongle go? Oh, I took the wrong car to work today!
- Where did my YubiKey go? Oh, I took the wrong moped to the coffee shop today!
- <reads news article about the millionth password breach> Uh, how many other places have I used that same password?
- Got a new phone, great! <later> Oh no… all the authenticator codes are on the old phone! How do I log in now!? Grrr.
- <trying to create a new password> Wait, this one needs 3 special characters, can’t start with a number, has to be longer than 10 characters but less than 16? Why are the password criteria different on every different service!?
- That’s it, I give up - I’m switching to the other provider that doesn’t run me through all these ridiculous password rituals.
- Oh no, I just lost another customer because our authentication system is so abysmal. Can’t IT do anything about this?
Given how painful it can be to use passwords and MFA, what can we do?
Well, first, let’s take a moment to shake off all that pain and negativity. Whew!
Next, get ready to rejoice because I have some good news about a wonderful solution that can solve all these problems and take away all the pain.
You Be You
Let’s reconsider what we are really trying to do.
In a nutshell: We want to make it as easy as possible for you to authenticate yourself to a system – while simultaneously making it as-close-to-impossible-as-possible for an attacker to impersonate you or cause you to get locked out.
How do we do that?
- At Acceptto, we do it by leveraging the near-magical advanced powers of modern Data Science, Artificial Intelligence and Machine Learning. The core new tech is a digital neocortex, using technology that simply did not exist even a couple of years ago.
- We do it by crunching Big Data – about your long-term patterns of prior logins and post-login activities, and about the surrounding environment. We continuously crunch and crunch and then re-crunch massive datasets again and again, all to recognize you vs. posers. In essence, just like when a friend or your dog sees you approaching, we effectively have a digital hippocampus that remembers novel patterns and events that are germane to identifying you vs. the mailperson. And we have a digital cerebellum that predicts trends, similar to how you might predict how late your friend will arrive at the park, or how to best duck when a snowball is coming at you.
- We do it by projecting probabilities about whether it’s really you by looking across dozens of dimensions, not just two or three factors. This is what makes account takeovers virtually impossible for attackers. Attackers simply cannot replicate all of these aspects of you simultaneously in a convincing manner. This frees you up to just go about your business, and stop worrying about how to present yourself at all. You can just be you. The system will recognize you, and recognize when it doesn’t quite seem to be you.
- We do it by appropriately balancing the hassle and annoyance of having to ‘step-up’ your authentication presentations only when something looks like it might be an anomaly. Maybe you just got a new laptop. Or suppose you are not a typical roadwarrior, and you just arrived at a place you have never worked from before. In those cases, you feel comfort at rare times like these when you occasionally have to provide a little bit of extra info to the system to make sure it’s still you. And the level of assurance can follow appropriate policies and be tuned to your organization’s needs. Otherwise, throughout the course of a typical day, you have a far easier experience logging into systems - often without your scarce human attention being required at all.
- Software agents negotiate protocols on your behalf, including appropriate challenges/responses about your identity, silently and intelligently, in the background. People dreamed of intelligent software agents powered by AI and ML in the 1980’s. Guess what? They’re here! And they are ready to act on your behalf to prove who you are.
- We do it by offering 14 different ways to authenticate when your system is online. Of these, 7 offline authenticators work when you happen to not be on the network but still need to get into your system. Some of these methods include authenticators you might have already invested in and are used to using. However, we enhance their usage, making them more secure and more convenient.
- We do it by giving you the option to simply scan a unique, short-lived QR code with a mobile app instead of you creating a hard-for-you-to-remember, easy-for-attacker-to-steal password or answers to intrusive security questions.
- We do it through continuous behavioral authentication, and we do it the right way. In the way that makes the most possible sense in every scenario. We do it every day, for the millions of people already using Acceptto.
- At Acceptto, we do it because we were founded by exceedingly smart engineers who have decades of experience in designing secure, performant, reliable, usable, cost-effective and ultimately useful security systems. And they have attracted equally brilliant minds to grow and expand the award-winning technology stack.
- At Acceptto, we have thought about every possible angle on every aspect of next-generation authentication (NGA) for years. NGA is our DNA. We live and breathe it every day. And NGA is one of those breakthrough technologies like GPS - once you get access to it, it can change everything and take the user experience to a whole new level.
- At Acceptto, we have 10 ground-breaking public patents in authentication, with several more already pending.
- At Acceptto, we quite literally created the category of Continuous Behavioral Authentication. We have something truly special. Something extraordinary. And now it’s available for select organizations to use.
Attackers will never stop trying to attack your systems. Thankfully, you can use great technology to successfully defend yourself, protect your systems and put an end to worrying about their threats.
Welcome to the better future that continuous behavioral authentication can bring you.
I am now betting that based on the ideas presented here, you are convinced that it will be worthwhile as you investigate Acceptto’s award-winning technology further.
What’s your next step to learn more about how much better your authentication experiences can be?
Contact firstname.lastname@example.org and we’ll be happy to help.
By Alan Krassowski, VP of Technology at Acceptto