This post is from my series of short essays on cybersecurity.

We discussed in one of the previous post that the cybersecurity journey starts with reliably verifying the claimed identity. Authentication is the process that establishes confidence that claimant has possession of Authenticator. Authenticators can be passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. In this post I will discuss the evolution of authenticators and why it is still hard to build a perfect authenticator. 

Authenticator journey was started with a simple idea of a memorable secret (password or pin) that the subscriber can memorize and share with the verifier. Verifiers typically keep the hashed key of the secret instead of clear text to maintain the secrecy of the secret. In the authentication process, the subscriber presents the secret and identity, and the verifier evaluates the hash of the presented secret and performs the match. Subscribers typically use easy to remember personal secret words like favorite place, fruit, family member names etc. Problem here is that what is easy to memorize for the subscriber is also easy to crack by an adversary [MITRE Att&ck – T1110 Brute Force]. If an adversary is able to access the hashed password store [MITRE Att&ck – T1555 Credentials from Password Stores] a dictionary lookup with hash calculation can crack the secrets. 

One way to make dictionary lookup hard is to have a random password instead of well known words. This increases the search space for the dictionary lookup, so new rules are added for strong passwords. Some examples of new rules are to require a minimum password length of 10 characters or more, combination of small and capital letters, and numbers and special characters with alphabets. But strong random passwords are also harder to memorize, subscribers started using simple composition rules like “$” instead of “S” or add number suffixes or prefixes. Adversaries also expanded lookup searches with new password rules and composition patterns. Overall search space was now larger compared to simple dictionary lookup, but remained crackable with increased computational powers of computers. Strong password rules also don’t prevent an adversary from stealing passwords from the source [MITRE Att&ck – T1056 Input Capture – keylogging, GUI input capture, web portal capture, credential API hooking ] or while in transit [MITRE Att&ck – T1557  Adversary-in-the-Middle]. Today we know that password only authentication can’t take us far in our cybersecurity journey. Now password only authentication should be a history, it shouldn’t be used anywhere we need a secure authentication.

Once it is learned that the memorized secret (“what you know”) can not provide enough security level, search begins to enforce a new factor where the Subscriber should provide proof of possession (“what you have”) of something unique in addition to passwords. Ideas of look-up secrets and OTP (one time password) generator devices evolved in this direction. Examples of a look-up secret can be found on the back of some credit cards. A random value is filled in each cell of the printed grid. Verifier asks a random subset of values that are printed in the grid during authentication. Assumption is that the subscriber can provide values only if he/she is in the possession of the card.

On the other hand, OTP generator devices are based on symmetric key cryptography, where the device has a unique persistent key. The device generates an OTP that is based on counting sequence or using a real time clock and encrypts the generated OTP with its private key, the verifier also has a copy of the key associated with the subscriber’s OTP device. When the verifier receives the encrypted OTP, it decrypts it and verifies the validity (counter or timestamp). Assumption is that the encryption key is only known to the OTP generator and Verifier, so someone sending valid OTP is also in the possession of the device. This improved the security posture, but man in the middle (mitm) attack [MITRE Att&ck – T1111  Multi-Factor Authentication Interception] is still a risk. Cloning of the OTP generator or grid card is also challenging and the verifier’s storage of secret keys are still the adversary’s target. 

Next innovation in the journey of strong authenticators is the use of out-of-band devices. Idea is that Verifier delivers a secret (PIN/ OTP) or notification to the subscriber on an agreed secondary channel like email address or mobile phone. During authentication, Subscriber needs to provide secrets received on secondary channel on the primary authentication channel or acknowledge on the secondary channel, this proves that Subscriber is in possession of this out-of-band device. Now Adversary also needs to intercept or hack the secondary channel to succeed. Security of  out-of-band devices is in having a secure channel and uniquely addressable endpoint. Out-of-band device mechanism is widely used today. It is very common in financial institution login and digital payment transactions. But both emails and SMS OTP delivery face the challenge of unique addressability. Insecure emails can be accessed from anywhere. SMS messages were originally considered secure in addressability. But with innovations in interoperability between phone and applications it has become easy to route SMS messages to other endpoints like any other messages. NIST 800-63B standard now  RESTRICT the use of PSTN for out-of-band verification. Only safe way to use out-of-band devices is to use registered specialized devices that communicate over secure channels.

Even with mentioned limitations, two factor authentication (2FA) still raises the security posture of the authentication process. With 2FA, stealing or cracking the secret is not enough for adversaries, they also need to get hold of the second factor or find a way to forge it to form an attack. Cryptography helped to develop the protocols to verify the proof of possession. Several innovative solutions developed with challenge-response protocol – the verifier passes a challenge to the subscriber, subscriber responds to the challenge by encrypting it with its uniquely identifiable key. The verifier decrypts the challenge-response with the key associated with the subscriber’s identity. 2FA is now a baseline for any secure authentication. But sharing a symmetric key with the verifier is still a vulnerability, shared key can be stolen and misused. More secure solutions make use of asymmetric key cryptography. The verifier possesses the public key of the key-pair bound to the user identity and the subscriber keeps the private key. Making devices resistant to cloning and tamper proof continued to be a challenge against sophisticated attackers. Phishing attacks through social engineering like [August 2022 – Twilio Incident Report: Employee and Customer Account Compromise] are still vulnerabilities.

With multi-factor authentication the security bar is raised for the authenticators, but “MFA everywhere” also becomes annoying and inconvenient to users when prompted for two-factors all the time. New generation of authenticators in the journey of perfect authenticators are multifactor cryptographic devices, where keys are protected in the device [example smartcard], a second factor [secret pin or biometric authentication] is required to activate it. Activation is tied to a specific endpoint and timebound. Once the device is activated it can perform the authentication protocol message exchanges without prompting users. Adaptive authentication is another evolving area, where additional signals like a user’s network, location, time etc are passed securely with the authentication request. Verifiers can choose an appropriate level of trust based on the risk assessment of those signals. FIDO Alliance also developed phishing resistant passwordless authentication [FIDO2 – Passwordless authentication vision] that is tied to the endpoint – commonly used devices in mobile and desktop environments. Here credentials are securely saved on the device (In a secure enclave like TPM), one touch activation is required to activate it using pin or biometric authentication for fast login experience across websites and apps. In the end I would like to remind you of a message coined by Bruce Schneier – “Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.’’.

NIST References on Authenticator – NIST 800-63B Authentication and Lifecycle Management covers guidelines for various levels of authenticators and authenticators requirements. NIST 800-53 – Security and Privacy Controls for Information Systems and Organizations is a catalog of security controls, IA5- Authenticator Management in this document describes the requirements of Authenticator requirements and lifecycle.