For over 30 years, we have used single passwords to verify identity, and we have known that they are vulnerable to a variety of attacks:
- Guess passwords via social engineering or dictionary attacks
Lose your keys or credit cards, and you are made aware of the possible danger, triggering you to take appropriate mitigating actions. Passwords, however, suffer from the fact that hackers can obtain them without the owner being aware.
The web is full of brute force attack tools and willing hackers taking advantage of them, initiating successful attacks against sites protected only with passwords.
Password managers have had some success by generating unique complex passwords for users, reducing some of the vulnerabilities with user-managed passwords. However, Strong passwords are still vulnerable to phishing and social engineering attacks. Password managers often bind passwords to a site, providing an indication to a user under a phishing attack that this may not be the right site for their credentials.
Identity professionals cannot control how users manage their passwords, although plenty have tried with complex password rules and password expirations, with little success. What they can control are the mechanisms that are used to prove identity.
A recent Google report shows that sites can massively reduce the success of hackers by utilising additional factors (Report)
Additional factors become effective when the authentication process now includes the following:
- Something you know, e.g Password, or PIN
- Something you have, e.g. your mobile phone, your desktop computer, RSA token generator
- Something you are, fingerprint, facial recognition
2FA authentication is by no means a recent invention; RSA was granted a patent in 1984 detailing the use of one-time tokens, so what has prevented the adoption of 2FA? Two issues: cost for the enterprise, and inconvenience for the user.
SMS and time-based one-time Authenticators (RFC 4226) as a second factor can exhibit some or all of the properties above. The use of a mobile phone has reduced the cost, but have had limited impact on user inconvenience, and still, do not entirely mitigate against the possibilities of phishing attacks. SMS has been compromised on many occasions either via social ( we have sent you an OTP to your phone, can you reply with it so we can validate it is you) or SIM jacking. SMS was never designed by the telecoms to be a transport for authentication. The evilginx hacker kit allows a hacker to quickly set up a proxy site for the target site. The fake site (man in the middle) typically has the same name as the original but with a minor spelling mistake and is used in a phishing attack The fake site looks identical to the real one as it simply forwards all traffic from the user to the real one. Once the user has taken the bait and clicked on the link the attacker is then able to observe the authentication flow and steal the session. The human element with these factors means that phishing will always be a problem.
FIDO2, a new technology gaining significant adoption, aims to solve the human element of authentication. It provides a frictionless, unphishable authentication factor. FIDO works by utilising public/private key cryptography with either custom hardware authenticators or integrated into the user's OS (the cheaper option). When a user registers their account, the webserver and the FIDO device negotiate, via WebAuthn, to create keys that are unique to their association. When the user authenticates with the websites, these keys are used to verify their identity. Therefore, an external attacker can in no way trick the user into sharing information to allow for a remote attack or place themselves in the middle.
Key properties of FIDO
- Unique keys bound to a website origin
- Challenge/signed response between site and FIDO
- Supports something you have
- Can support something you know (PIN)
- Can support something you are
FIDO provides a means for frictionless, highly secure access to your web sites.
We are starting the Beta program for our FIDO component. Your ASP.NET Core web site or single sign-on solution is just a few steps away from supporting frictionless, secure authentication.