Blog Feed
Ideal Authentication
Creativity is the art of compromise. One gifted artist may never receive recognition during his lifetime and die penniless (Vincent Van Gogh). Another one may mass-produce a painting a day to order and bask in his glory (Boris Kustodiev). Time was the final judge as to the talent and merit of these two artists and their works, but it happened only after they died. The procedure of authenticity verification is a kind of art, too. For a manufacturer, ideal authentication is reliable data protection at the minimum possible expense. A user is also interested in the price, but there is expected to be the maximum possible convenience and transparency of use. A compromise needs to be reached here; there is no possibility for an ideal solution. In the end, friction makes a perpetual motion machine impossible, but it is possible to increase an engine’s efficiency coefficient. What is required to verify that a person entering a password is the one who he says he is? In a simple situation, all that is needed is to stand by this person and watch him enter the password. This would not work in most situations — it would mean that one-half of the planet’s population would have to be watching the other half. But, information can be gathered indirectly by watching where a person is located, what the person buys, what browser the person uses and at what time, whether he has a wife and kids, what sports team the person supports; also, biometrical data or behavior details (for example, the handwriting slant, typing speed, etc.) can be taken into account. From all this information collected, it is possible to create an electronic image – a kind of a ‘mirror image’ – of this user. This image can be placed in a ‘cloud’ where the data is accessible to the server performing authentication. There is the other side to this coin. The user must agree to the collection of his information. Practical experience shows that there should be no serious problems with that. Remember what a big deal was made of Facebook introducing new rules for using its members’ information and how everyone was indignant about this blatant intrusion into their personal life, and yet the number of people that actually closed their Facebook accounts because of this was very insignificant. Here we see the need for another compromise. A manufacturer needs to have the complete details for authentication purposes, but part of the necessary information can only be collected using expensive technologies. A user would also like to ensure the maximum protection of his information, but he is not always willing to provide all the information about himself. A manufacturer and a user would probably agree on some of the authenticity verification parameters. For people living on Planet Earth of the Solar System in the Milky Way galaxy, there are currently three compromise factors for authentication purposes: “What I Know”, “What I Own”, and “What I Am”. I know the password; I have a gadget for generating it (a token), and I have the necessary biometric data. At this point in space and time, the “ideal” authentication should take into account all of these three parameters simultaneously. But, biometric sensors are still quite expensive (a concession to please a manufacturer) and...
read moreHow to Make Authentication Simple and Secure
The Rothschild brothers, who grew rich making profits on the results of the Battle of Waterloo, used to say: “He who owns information owns the world”. The only thing to specify here is who the information belongs to: yourself or somebody else. All throughout its history, mankind has been involved in authentication technique development, from making call signals imitating birds’ sounds and manual ciphering to logging into a system via GPS. During this entire period of time, the key focus has been the search for a simpler authentication method (one that does not involve compromising a system’s reliability). The problem is that sooner or later all new protection methods grow outdated and obsolete; besides, enterprising fraudsters are no fools – they may not want to own the world, but they do want to own at least some nude celebrity photos. And, as we know, what one man built up another man can break down. In modern times, the information battlefield is the Internet — it is the most convenient platform with the largest audience. Authentication methods are growing more complex and sophisticated, too: digest authentication (HTTPS protocol), OpenID, OpenAuth, etc. At this stage in the society’s development, we have come to a paradoxical conclusion: to make authentication simple, we need to make it more complicated. That is, more complicated for a manufacturer; for a user, things remain as simple as ever. There are three factors that can be used to verify a user: what he knows (a password); what he owns (a card key); and what nature gave him at birth — his biometric data. The three parameters combined in one system — what could be simpler? But, there is also the aspect of cost-effectiveness to be considered. In and of itself, a biometric detector is nothing new; for example, iPhone has the Touch ID technology. But when used together with Apple’s software, the fingerprint scanner will produce an error, which once even led to a recall of an update to iOS 8.0.1. On a user’s level, too, there are occasional problems with the use of a scanner. Besides, biometric technologies are relatively expensive. In terms of reliability, they leave much to be desired, too: a small cut can alter a fingerprint. Besides, once a criminal has a person’s biometric data in their possession, they can use the data for illegal purposes indefinitely — until the end of either the criminal’s or the poor discredited person’s natural life. But, the first two factors mentioned above are worth combining, both in terms of cost-effectiveness and protection level. In two-factor authentication, two passwords are used — a reusable static password and a one-time password. In our case, here is what happens when the “One Time Password” technology is used. A user wants to get authenticated in the system and first enters his regular static password and then his OTP (One Time Password) shown on the screen of a special gadget called a token. The system transmits the data to the authentication server, which will use the same algorithm to generate a password and compare it to the password entered by the user; if the two passwords are identical, the system welcomes the user. The gadget costs less than ten dollars, and the service is under a dollar per month. The conclusion...
read more