Holy Grail of Online User Authentication

Recent SolarWinds related cyber security breaches have once again put focus on user multi-factor authentication (MFA). Our online authentication journey started with Passwords and over the decades several articles are passionately written even today about Passwords — why they are ugly and why we need to move in a different direction.

Ironically the MFA definition itself starts with first-factor, which is traditionally categorized as knowledge-based — not necessarily a static string of, painful to remember, a set of keyboard characters. This topic is so well understood that an average Joe’s litmus test question of “Can my Grandma do it?” needs to answered before any other choices. As such, anything related to human memory and recall is at best a poor attempt to force a system that it is not designed for, in the first place.

Subsequently, small computing gadgets that spit out a random number or character strings to beef-up the weak first-factor, were introduced. This trend caught up and smart phone-based various flavors based on a) SMS b) Computing app and c) Out-of-band app communication with authentication server communication came into existence and became more popular. These smart-phones have become synonymous to a user’s online identity in today’s online cyber world.

Technological advances made it possible to intercept and spoof those sacred one-time to use passcodes by the hacking world. This puts more than 85% of the large base in several market verticals at risk. The recent Solarwinds episode in the cyber world is a testimonial to that and many more such incidents are expected in the future.

Currently, the only alternative that is touted to be fool-proof online authentictaion technology is FIDO, which stands for Fast Identity Online.

Even though public-and-pviate key based cryptography is often mentioned as the core of this technology, fundamentally FIDO is all about machine-based URL matching, which removes the potential human error to read and interpret legitimate websites to initiate the authentication. Without this automatic URL check, the asymmetric cyrptography cannot address intercpetion and spoofing, which is known as man-in-middle attack.

Further, FIDO still has the risk of public-key replacement with attacker’s public key at the relying authentication server. This by no-means, addresses the centralized-secret storage (database) risk, which was the FIDO’s first objective to start with.

This leads us to what next? Should there be a fundamental change in the underlying technology for online user-authentication?

Perhaps. It would be nice to have credentials that cannot be spoofed, thereby making it use-less for attackers to steal the crdentials. In such a world with anti-spoof credentials, the only attack vector that an attacker can use, is the “malware payload”, which can be contained by regular patches and hardening OS. A system that resists installation of such malware and substantially decrease the attack surface would be another topic to discuss.