This post is from my series of short essays on cybersecurity.

Cybersecurity journey starts by putting the correct level of access controls around assets we want to protect, we want to make sure legitimate users have easy access to data to complete their work, and at the same time we want to make sure everyone else can’t reach it. That is like building a castle with strong walls, and at the same time having a door that allows legitimate users to easily get in and block everyone else. Process of identifying legitimate users is knowing the user’s identity and a reliable mechanism to confirm that identity is true. Basically we need to confirm that the user is what the user is claiming. 

The process of validating the user’s identity is authentication. In the physical world example people carry identity in the form of state issued cards like your passport or driver’s license. Modern state issued cards include not only photos but include embedded microchips containing additional data like biometrics. These cards also include built-in tamper-resistant technologies to prevent any tampering. When you present this card as your identity at airport security during your travel or show it to a bank cashier counter to process a bank transaction, they trust the presented identity because they trust that the issuing authority has done due diligence in issuing the card and also confident that the card has not been tampered since it is issued. Now coming back to the cyber-world, how do we do identity validation in the digital world? Traditional interactive physical world protocols need new criteria in the cyber-world world to validate the identity of the person who is sitting thousands of miles away on the other side of the globe. 

Simplest authentication protocol is “let’s have a secret that is known to only two of us – password”. Rule is simple,when someone claims to be you I will ask him to show the secret password, if it matches with what I have I will let him in. This protocol has several problems and should be stopped now. First problem is that you need to trust my abilities to maintain the confidentiality of the secret password. Millions of password data breaches happen every year – from yahoo to facebook stolen from servers (check “Have I Been Pwned” for hundreds of millions of stolen passwords). Second problem is when you need to authenticate against several parties you need a separate secret with everyone or you risk being a victim of multiple identity leaks in a single hack incident. One mitigation is to use password vault solutions like LastPass and 1Password considering you can keep your vault secure here. 

NIST 800-63 Digital Identity Guideline, introduces the digital identity model in the document suite that covers identity guidelines in three major areas:  Enrollment and identity proofing (SP 800-63A), Authentication and lifecycle management (SP 800-63B), Federation and assertions (SP 800-63C). Following Digital Identity Model diagram describes the overall Digital Identity proofing flow.

Left side of the diagram describes activity of enrollment, credential issuance, and lifecycle management. From a user perspective it’s the process of creating a new account or registering a new authenticator app with Credential Service Provider (CSP). Right side of the diagram describes the authentication process where the verifier validates the authenticator proof with CSP and enables relying party (RP) to establish a secure session with the subscriber.

Password only authentication is outdated and being replaced with an updated  protocol with multi-factor authentication (MFA) that is adding additional check on top of the secret to ensure that you possess something unique. MFA “combines something you know and something you have”. Proof of something you have should be dynamic with a short lifespan so that your adversary can’t replay it – unique one time password (OTP) or a verifiable challenge. Idea is if you possess something I want to know that you possess it right now. What you possess in the past is not a guarantee that you still have it. Cryptography comes to the rescue, this process relies on a shared secret between your OTP app or device and authentication server. Authorizing party generates a random sequence of numbers, combines it with some moving factor like counter or timestamp, and encrypts the sequence with HMAC algorithm – Discussed in other post Message Authentication Code (MAC) – Assurance against message tampering. If you possess the decrypting key in your otp app or device you will be able to tell what is the sequence. Combining moving factors like counter or time based information (TOPTP) prevent the reuse, because the server will expire the generated sequence after a few seconds or minutes. OTP described here is based on symmetric key encryption. Another more secure mechanism is to use asymmetric keys cryptography. I will discuss this in a future post.

One important caution to call out here regarding widely used SMS based OTP delivery mechanism communication currently in practice. NIST 800-63-3 Digital Identity Guidelines deprecated the use of SMS as an “out of band authenticator” solution. While possession of a mobile phone is a great verification because chances of someone stealing your password and phone at the same time require significant time and physical mobility from the adversary to act and do it fast enough to do actual damage. But the challenge here is the evolution of SMS protocol, it is no longer mobile-phone based communications. Beautiful work of interoperability made it possible to send SMS like any other message route to endpoints other than your mobile phone. Because of the risks, NIST standard now discourages the use of SMS as a method for delivering a one-time use code for multi-factor authentication. In coming years we should see the phasing out of SMS based OTP delivery.