The Imminent Death of Password Authentication

Dear readers,

Welcome to the third edition of our info-security monthly digest. We have some exciting news to share this month! Our CTO, Lawrence Hughes, has been invited to speak at the IPv6 Forum stage in CommunicAsia 2016 on three hot topics on Internet of Things. In addition, as a Top 100 Startups in Echelon Asia Summit 2016, we will be exhibiting at the summit from 15-16 June at booth T22 at Hall 3A, Singapore Expo. Next month, we will be participating in partnership with Thales eSecurity at the RSA Conference 2016 at Marina Bay Sands, Singapore from 20-22 July. Come visit us if you are around!

In this month’s digest, we are privileged to have our Head of R&D, Hon Luen, Kwan, to share his view on password authentication. Hon Luen is a data security and software professional with over 18 years of experience. His career spans across three startups, a government defense ministry and a MNC. With a bachelor and master’s degree from National University of Singapore, he is also a CISSP and CSCIP.

As we may know, it is not a secret anymore that password authentication is facing a death so fast that we do not have to blink twice. In case you may wonder, if you are using username and password as a form of authentication to access web sites, company resources or mobile devices, that is password authentication, which is one of the most popular authentication methods in the world. However, this form of authentication comes with its share of grief, especially when criminals could easily grab the entire database of username and password, just like the recent case in the LinkedIn data breach in which 167 millions user credentials were exposed.

Without much ado, let’s dive to some good perspectives on password authentication with Hon Luen’s article, which is also available as a PDF download. We hope you would enjoy this article as much as we enjoy creating them.

Blast away!

Hon Luen, Kwan
– The Imminent Death of Password Authentication

The use of passwords is familiar to most people since a long time ago.  Secret societies used it as a way to identify members to let in during a regular meetings and to filter out non-members who attempted to join without proper authorizations.  Soldiers used a different password each night to differentiate friendly forces from the enemies in disguise.  On the Internet, the users use passwords, together with an ID to identify themselves, to authenticate as a specific person to log into an account on a bank or government web portal.  Passwords have been in use from the beginnings of the Internet (actually ARPANET) in 1969, and in timesharing systems even before that.  The users were comfortable using passwords and the authorities operating the web portals were happy to maintain large databases of ID and password for this purpose.  It was not until the surfacing of security breach events involving multiple user accounts being hacked that the world began to be concern about the level of security offered by the user of ID and passwords for authentication.

The large database storing ID and passwords is a honeypot waiting to be compromised by any one with the right skill sets.  It is not complex to break a password.  One only has to obtain access to a web server with vulnerabilities, potentially unpatched, to run an attack using a dictionary list of frequently used passwords with high probabilities of success of finding the ‘right’ password to the user in question.  The tendency of the users to choose short and easy to use passwords make this probability even higher.  This comes from the view of an external attacks.  It becomes easier with internal attacks.  An unsuspecting employee could have his unlocked computer infected with a key logger to monitor all characters, including passwords, typed on the computer’s keyboard.  Not having to go to such trouble, one could also ‘surf’ over the shoulders of the unsuspecting employee and watch him type in his passwords.  These are the kind of jobs that are easily handled by any one with the intelligence of a high school student.  The Internet is overdue for a replacement to password authentication.

With the use of strong cryptographic authentication, the authentication landscape on the Internet can change for the better.  Cryptographic authentication involves the use of an asymmetric (“public key”) cryptographic algorithm and a public/private key pair to encrypt some random text with the public key so that only with the corresponding private key can recover the random text.  The challenger creates a challenge (random string encrypted by public key from a digital certificate), and the challenged node decrypts that challenge with his private key. This establishes that the client possesses the correct private key, without them having to reveal it. This authenticates the person, also known as the client, strongly.  The cryptography involved insures that only right private key would be able to decrypt the challenge. Without the correct private key, it takes potentially millions of years even with the use of powerful computers, to recover the random text.  Does the world rejoice at finding such a good replacement to password authentication?  No, it doesn’t.

It is straight forward for the user to use simple and easy to remember passwords and the authorities of the web portal to maintain a centralized store for the ID and password.  However, the use of cryptographic authentication involves the use of digital certificate by the user and the maintenance of a Public Key Infrastructure (PKI) by the authorities.  Many considered creating and operating a PKI a high cost investment due to the high level of complexity involved.  For example, the IT professionals operating the PKI is required to have a high level of competency to handle the issues arising from the daily operations, especially from the end users.  Therefore, PKI and digital certificates are not widely used worldwide, except by organizations with high security concerns and sufficient implementation budgets, i.e. military, government or large banks for secret communications or sensitive transactions.  Some have resorted to using a workaround to the password authentication, most commonly using OTP (One-Time Password).  The OTP relies on a secret algorithm shared between the tokens and the authentication server.  This is fairly secure; there had been incidents whereby the OTP secret had been compromised.  There is an authentication server solution using a combination of user password and OTP facilitating the retaining of legacy password databases and the introduction of an additional second authentication factor (OTP).  Still, these are temporary measures against a rising number of hackers who are becoming more competent in their hacking approaches using computer that are increasing in processing power.  Without the means to simplify the deployment of PKI, the world is a sitting duck waiting to be attacked.  With the advent of Sixscape’s IDCentral solution for PKI, the world finally has hope.

Sixscape offers the IDCentral platform which implements a protocol accessible PKI. That protocol is called Identity Registration Protocol (IRP). It simplifies and automates the interactions between the user and the Certification Authority (CA).  More technically, this involves the entire digital certificate lifecycle.  IRP can also be used as a strong replacement to the use of Certificate Revocation List (CRL) or Open Certificate Status Protocol (OCSP) for checking certificate’s status.  In view of the novel use of IRP, Internet Assigned Numbers Authority (IANA) had made the decision in 2014 to grant the Internet port number 4604 to Sixscape’s IRP.  You can find out more information on Sixscape’s IDCentral solution at http://sixscape.com/.