Authentication and Whitepaper Authentication · PDF file Factor) and UAF (Universal...

Click here to load reader

  • date post

    19-Apr-2020
  • Category

    Documents

  • view

    1
  • download

    0

Embed Size (px)

Transcript of Authentication and Whitepaper Authentication · PDF file Factor) and UAF (Universal...

  • 1

    Authentication and identification

    www.computop.com

  • 2

    The difference between identification and authentication 3

    PKI (public/private key infrastructure) 4

    Authentication with FIDO 7

    Identity providers with potential 10

    Summary 11

    Content

    Security on the internet is one of the biggest issues of our time. Owing to the increasing

    amount of digitisation in all areas of life, secure identification and authentication are

    becoming more and more important. Particularly the transfer of sensitive data such as

    payment transactions must be performed with as little risk as possible in order to protect

    service providers and service users against the theft and misuse of valuable information.

    While personal ID cards are recognised as a reliable identification medium in the ana-

    logue world, the uncharted digital territory feels almost like the wild west. The established

    combination of user name and password is comparatively insecure and the alternative,

    more sophisticated methods are competing for the best positions on the market. While

    many companies, initiatives and even the government are working on solutions, a stan-

    dardised and generally accepted system for secure identification and authentication has

    yet to be established.

    Ralf Gladis Co-founder and CEO

    of Computop

  • 3

    Many people use both terms synonymously, but they describe two

    different processes. Identification is when a person proves their

    identity to an authority or entity to which they were previously

    unknown. This occurs, for example, via conventional registration

    with an email address and password, which is sufficient for many

    services. For more sensitive applications such as payment transac-

    tions or banking, on the other hand, there are more sophisticated

    identification processes such as Postident and WebID. These use

    significantly more complex methods to check whether a person cor-

    responds to the identity he or she claims to have.

    Authentication, on the other hand, involves recognition. After a

    user has identified themselves and registered, they must then log

    in. For this and all subsequent uses, they must be authenticated.

    The usual pairing of user name and password entered during the

    registration are typically used for this purpose.

    However, this method has been the focus of criticism for years. In

    contrast to other processes, it is relatively insecure – particularly

    when the user’s email address serves as the user name as well. It is

    often known by a large group of people, thus weakening the level

    of security. In addition, many customers consider password man-

    agement to be a tedious annoyance. As a result, instead of using

    complex letter and number combinations (ideally a different one

    for each portal), they often use an easily memorable code based

    on birth dates or family names, often comprising just a few char-

    acters. This type of weak password protection is easy to crack, thus

    presenting a high security risk.

    Alternatives include social-login solutions provided by sites such

    as Facebook, Twitter, LinkedIn or Google once the user has regis-

    tered. The advantage of this is that in contrast to user name and

    password combinations, website operators do not store the log-in

    data on their servers. Instead, the authentication is performed via

    the plug-in of the relevant site. This means that criminals can only

    steal the login information directly from the login solution provider

    and have to hack the social media account. Many platforms offer

    an optional two-factor authentication via mobile phone number.

    This would make them significantly more secure than with just one

    password or with access via a password manager. However, many

    users do not take advantage of this option either due to conve-

    nience reasons or because they are wary of giving the sites their

    mobile numbers. Security is not enhanced by this behavior, but

    data scandals, especially the ones Facebook has been involved in,

    have made users cautious. Apple’s newly introduced solution, “Sign

    In with Apple”, addresses this problem and focuses on user privacy.

    Unlike Facebook and Google, the company’s business model means

    that it is not dependent on trading in specific user information,

    The difference between identification and authentication

  • 4

    20%

    0%

    40% 34%

    Total population

    Too careless with passwords: 61% of German internet users use the same password for several or all online services. When it comes to users under 30, this figure rises to 73%.

    Do you use different passwords for different services?

    18 - 29 year old Carried out by Bilendi GmbH on behalf of WEB.DE

    24%

    55%

    63%

    6% 10%

    5% 3%

    60% Yes, an individual password for each service

    Sometimes the same password for several services

    No, the same password for all services

    I don’t know/No answer

    thus Apple enjoys greater user trust. At the same time, all three

    providers are shifting the problem to central accounts, be it Face-

    book, Apple or Google. Because in the end these accounts are also

    password-protected.

    In addition, it is not possible to fully identify users via this method.

    The social media giants lack the final proof of identity which can

    only be provided by service providers who identify their users in a

    lawful manner and then securely link the information to an authen-

    tication process. They are then able to link each authentication to

    the identity behind it. Solutions exist which meet these high secu-

    rity requirements.

    For 20 years, technology has allowed identification and authen-

    tication to be encoded asymmetrically via a private and a public

    key. The secure infrastructure described below which is used for this

    purpose relies on a certification authority (CA) which verifies public

    keys and issues digital certificates for these. The key pair is usually

    generated on the device or smartcard of the user. The private key

    always stays with the user, while the public counterpart which has

    been signed by the CA is submitted to the service for which they are

    registering. For the authentication, the service provider then sends

    the user a calculation which they can only solve if they possess the

    private key. Only the service with the matching public counterpart

    which has sent the request is able to check the solution.

    Processes such as ‘Identity management’ and ‘Postident’ in Germa-

    ny or BankID in Sweden are state-regulated identity

    verifications. Regulators recognise them as equivalent to identifica-

    tion through personal presence. These processes must fulfil specific

    regulations in the relevant countries in order to be accepted as

    secure by the government. For example, in Germany, the identifica-

    tion must be carried out by service provider employees who are in

    access-protected rooms. Additional requirements include – among

    many others – uninterrupted video identifications in real time and

    adequate image and sound quality.

    PKI (public/private key infrastructure)

  • 5

    PKI key pair

    User interaction – web service and PKI

    User

    User

    Web service PKI

    PKI

    They central security element of the public/private key infrastruc-

    ture is therefore the private key. The security provider only issues it

    in a protected environment. This may be, for example, a protected

    hardware sector in an iPhone. They sign the public key with a cer-

    tificate authority (CA). As with the SSL certificate of a website, the

    certificate is verifiable for any outsider and is generally issued for

    the email address of the user. The authenticity, confidentiality and

    integrity of messages are thus guaranteed.

    If the issuer of the certificate has checked and verified the identity

    of the user, the user can use it to sign documents in accordance

    with signature legislation. The digital signature thus replaces the

    ‘wet’ signature.

    Authentication response Identity verification

    Authentication request Identity request

    Registration with PUBLIC KEY

    Issuance of a PUBLIC/PRIVATE key pair

    1

    2 4

    3 5

  • 6

    PKI in practice With clearly and lawfully identified customers, data centres and

    smartcards, banks have the ideal conditions to work in this busi-

    ness field.

    Despite these options, banks have not yet recognised the market

    for themselves. In Germany, the Sparkasse trustcenter, S-Trust, has

    now completely ceased its business operations for end customers.

    All banks are currently considering how to implement the strong

    authentication required in the PSD2. However, the institutes quite

    literally have the key in their hands. Bank cards, generally giro-

    cards, also offer the advantage that almost everyone has one with

    them at all tim