We authenticate to solve real world problems. For example I want me to be able to access my bank account and I don’t want anyone else to. Identity is tied up with authentication. The authentication is linked to a digital identity, and this is then linked to a person. But what stops another person from using the digital identity and being authenticated? Secrets, we need to keep secrets.
How we authenticate
Let’s have a quick look at some authentication protocols.
Passwords
It’s easy to overlook in the world of 2FA, MFA, authenticators, and toggles. But a strong, secret password is your best form of security. Don’t share your password or username with anyone and change it on a regular basis.
sKey
This is a way of generating a list of one-time use keys (or passwords), it is simply h(h(h(h(h(password))))), where the password or IA is hashed and hashed to create the number of keys required. It counts down, so you get a fixed number of keys.
Challenge response
These require a response form the user in a time period to verify that they are there now, not that they were there at some point in time. There are two types:
- Time-base One Time Password (TOTP) – time based count that is HMAC’d
- Hash-based One Time Password (HOTP) – Counter (counts up so it can keep going for ever) is HMAC’d
RSA
Can be used for authentication and signatures. You can encrypt a message with your private key, and people can then decrypt it and this authenticates you because only you can encrypt with your private key. in realist the message has a nonce folded in (xor’d or concatenated or whatever)
For signatures, the document is hashed, then encrypted with the private key. The public key can then be used to decrypt the hash and compared to the doc.
OAUTH
This is authorisation, not authentication. Once someone has authenticated (say signing into Facebook), a token is issued which authorises the token holder to do something, say login to a platform. OAUTH is prone to implementation errors, I’ll take a deeper look at it in another blog, so be sceptical of OAUTH, look at the convenience vs security balance.
ATTACKS
Multifactor and Two factor Authentication (MFA, 2FA) seem great and they can increase security, but they aren’t a silver bullet for security. How can MFA be attacked? There are a number of ways and they don’t all have to be head on.
Downgrade attacks
Force a system to revert to a lower form of authentication, for example password recovery. If someone has your device and access to your email, then for many systems, it’s simply a matter of clicking the ‘forgot password’ link and entering your email address.
Authentication attacks
Each system and factor has its own vulnerabilities.
- SMS can be received on the same stolen device as the login attempt (phone or computer)
- Swipe patterns on a touch screen can be visible on the correct angle in the light to unlock a device.
- Keypads used only to access will have signs of which keys to use (worn out, dirty, oily)
- Fingerprints can be faked (https://youtu.be/ZeUYRgyTOEM)
- RSA SecureID was compromised when attackers launched a successful phishing attack against RSA staff and gained access to their server and info about how the token worked.
- @FA phishing attack, check out this video from Kevin Mitnick: https://youtu.be/xaOX8DS-Cto
Silver Bullet Syndrome
It can be easy to be lulled into a false sense of security with 2FA/MFA. I’ve got 2FA switched on, I’m secure. But. Imagine your phone was stolen or lost. You don’t have a PIN/Face recog/fingerprint because it’s a pain and your phone is always with you, right? Anyway, you’ve got two factor authentication set up on your various accounts so you are secure, right? Wrong.
Let’s pick on my.gov.au. It’s an important government hub, it contains a lot of information about you and let’s you update details and communicate with the government. It’s not an account that you’d want hacked.
Think about the last time you logged into my.gov.au. Your phone enters your username or email and password for you and then you have to enter a code that is sent via sms. To the same phone! What if your phone doesn’t have auto complete on, no problem. An attacker can reset your password via email, the only challenge is overcoming a ‘security question’ – easily overcome with a little social engineering.
So 2FA is great, but don’t be lulled into a false sense of security. If your phone is not locked, 2FA will do sweet FA to keep you secure.
Reflection
We use authentication to prove that we are who we say we are and are authorised to have access to a system. There are a number of ways to do this and the method will depend on the application, you wouldn’t apply the same level of authentication to your instagram account as your bank account. Authentication is open to a range of attacks, so keep your passwords strong and keep your secrets secret.
As with everything in security, we need to balance security with convenience.
