Authentication: The Holy Grail of Information Security

Monday, May 02, 2011

Brent Huston


Have you ever heard of the list of most needed inventions?

These are the sorts of inventions that, if realized, would overcome technological hurdles that are preventing mankind from reaching our most cherished dreams. Room temperature super conductors, advanced nanotechnology and practical fusion power are just a few.

There are a number of inventions like this that are needed to make information security a reliable, efficient and low cost process. And chief among them is the Holy Grail of information security: an un-spoofable identity authentication mechanism.

Just think of it! A way for people and machines to know with a certainty that it is you and only you that they are communicating with. No more worries that someone will steal your identity and empty your bank accounts.

No problems with cyber criminals impersonating IT personnel and stealing information or crashing systems. Think of the money and time you could save on complex intrusion detection and prevention systems and complicated processes. It is fun to contemplate.

But, unfortunately, it is all just wishful thinking. Despite years of concentrated thought and effort, nobody has a clue how to make it work!

There are just three ways known to authenticate identity:

  • Using something you know
  • Using something you have or
  • Using something you are

When talking about authenticating yourself to a computer system, something you know is typically a user name, a password or an encryption key. I think all of us know that despite all efforts to keep these mechanisms secret and secure, it doesn’t prevent intruders from getting them.

The problem is that people have to know them, they need to store them and they need to use them, and that makes them vulnerable. So something you know isn’t the answer.

Let’s go to the second mechanism: something you have. In the computer world this is usually a smart card, token or the like. Combined with a user name and password, this mechanism provides another layer of security that can be very effective. But it is far from perfect. Smart cards and tokens can be stolen or misplaced.

Perhaps a certificate authority or token provider’s servers are compromised. Some mechanisms can be reverse engineered. So, the upshot is, you can add something you have, to something you know and get better, albeit far from perfect, identity authentication. But the cost you pay in dollars and personnel hours has just gone way up.

So let’s go to the final possible authentication mechanism: something you are. For computer systems this is presently typically finger prints or retinal scans, although other possible mechanisms include facial recognition, voice recognition, heuristics (behavior matching) and DNA matching.

This mechanism, once again, provides added security to the identity authentication process, but still is not perfect. For one thing, this kind of authentication mechanism works best in person. If a fingerprint, for example, is transmitted it really travels as a series of electromagnetic signals and these can be spoofed. But even in person, this type of mechanism can possibly be spoofed.

So adding something you are to something you have and something you know once again makes it much more difficult to spoof identity, but still doesn’t render it impossible. And imagine the added burden in money and inconvenience using all three mechanisms would mean to your organization! Seems like way too much just to protect some financial data or health information, huh?

So, please, let’s all of us spend some thought trying to find the perfect identity authentication mechanism. It may be like trying to come up with perpetual motion, but if you do manage it, I guarantee you the rewards will keep you and yours in clover for the rest of your lives!

Cross-posted from State of Security

Possibly Related Articles:
Biometrics Authentication Access Control Tokens Information Security password
Post Rating I Like this!
Franc Schiphorst :) keep on dreaming?

One added factor. This also should work with the numerous endpoint I have to authenticate like google, microsoft, tax office, my car door, the hospital, the zoo, my healthcare provider, the car assistance club, the bonus program at ..... etc etc (as you may have guessed i just had a look at all the cards i have in my wallet ;).
And it should be "neutral" so no google/passport/digid/etc.
And of course free! (keep on dreaming ;)

One potential fix could be multi path authentication where you use pc and phone in combo to authenticate. But even that is "broken" as (smart) phones have had mallware injected and hackers have infected both machine and phone to get access to bank software

And as a bonus question. Once we find this perpetumtentication device how do we make sure all people who are now unauthenticated get one device each.
Ken Major Quick edit:
4 potential factors:
Something you know
Something you have
Something you are (bio)
SomePLACE you are (phyiscal location)
Ken Major The military often utilizes SomPLACE as an additional factor. Consider a field ops comander accessing secured data via saltelite link. The commander is reasigned and loses access to data based upon location change. Access Rule: This person (ID & Pword/PIN) from within these coordinates and using this token code can have access to the mission or ops data.
Shiv Ram I have been working on such a perfect solution for more than 2 years now. And I have invented what I have called as "Password Less Authentication".

This technology has recently received some recognition from the likes of Lockheed Martin and Red Herring.

But to get to the point, what I have worked is not about focusing on the security at the user and more towards the information that is stored on the server.

So a website that uses this "Password Less Authentication" can offer the user to tag their online credentials to a device of their choice such as their cellphone ( plus a backup device) and the algorithm is such that the device id is not required to be stored on the cellphone or the website server.

What this means is that the user cannot be tracked by the website and thus protect their privacy and also the information on the server is encrypted using a unique set of hashed code that is different for every user making it very very difficult to reverse engineer it by hackers.

Further, the user can use the same device to generate unique strong passwords for different websites.

We have went further by divorcing the authenticating device from the access device thus making the life of hackers even more miserable.
Eli Talmor The reason that it seems so elusive is that authentication mechanisms are circumvented by malware attack . No matter how many factors you add - the authentication token is generated by "something" or "someone" else. The way out of this endless tunnel is to realise that if you cannot trust your own computer - then you should trust Identity Provider (he is "clean" of malware). This Identity Provider will generate the PROCESS that malware cannot circumvent. Now you can "fudge" as many authentication factors into this process as your app. may need. See more at
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.