1

Authentication and identification

www.computop.com

2

The difference between identification and authentication 3

PKI (public/private key infrastructure) 4

Authentication with FIDO 7

Identity providers with potential 10

Summary 11

Content

Security on the internet is one of the biggest issues of our time. Owing to the increasing

amount of digitisation in all areas of life, secure identification and authentication are

becoming more and more important. Particularly the transfer of sensitive data such as

payment transactions must be performed with as little risk as possible in order to protect

service providers and service users against the theft and misuse of valuable information.

While personal ID cards are recognised as a reliable identification medium in the ana-

logue world, the uncharted digital territory feels almost like the wild west. The established

combination of user name and password is comparatively insecure and the alternative,

more sophisticated methods are competing for the best positions on the market. While

many companies, initiatives and even the government are working on solutions, a stan-

dardised and generally accepted system for secure identification and authentication has

yet to be established.

Ralf Gladis Co-founder and CEO

of Computop

3

Many people use both terms synonymously, but they describe two

different processes. Identification is when a person proves their

identity to an authority or entity to which they were previously

unknown. This occurs, for example, via conventional registration

with an email address and password, which is sufficient for many

services. For more sensitive applications such as payment transac-

tions or banking, on the other hand, there are more sophisticated

identification processes such as Postident and WebID. These use

significantly more complex methods to check whether a person cor-

responds to the identity he or she claims to have.

Authentication, on the other hand, involves recognition. After a

user has identified themselves and registered, they must then log

in. For this and all subsequent uses, they must be authenticated.

The usual pairing of user name and password entered during the

registration are typically used for this purpose.

However, this method has been the focus of criticism for years. In

contrast to other processes, it is relatively insecure – particularly

when the user’s email address serves as the user name as well. It is

often known by a large group of people, thus weakening the level

of security. In addition, many customers consider password man-

agement to be a tedious annoyance. As a result, instead of using

complex letter and number combinations (ideally a different one

for each portal), they often use an easily memorable code based

on birth dates or family names, often comprising just a few char-

acters. This type of weak password protection is easy to crack, thus

presenting a high security risk.

Alternatives include social-login solutions provided by sites such

as Facebook, Twitter, LinkedIn or Google once the user has regis-

tered. The advantage of this is that in contrast to user name and

password combinations, website operators do not store the log-in

data on their servers. Instead, the authentication is performed via

the plug-in of the relevant site. This means that criminals can only

steal the login information directly from the login solution provider

and have to hack the social media account. Many platforms offer

an optional two-factor authentication via mobile phone number.

This would make them significantly more secure than with just one

password or with access via a password manager. However, many

users do not take advantage of this option either due to conve-

nience reasons or because they are wary of giving the sites their

mobile numbers. Security is not enhanced by this behavior, but

data scandals, especially the ones Facebook has been involved in,

have made users cautious. Apple’s newly introduced solution, “Sign

In with Apple”, addresses this problem and focuses on user privacy.

Unlike Facebook and Google, the company’s business model means

that it is not dependent on trading in specific user information,

The difference between identification and authentication

4

20%

0%

40% 34%

Total population

Too careless with passwords: 61% of German internet users use the same password for several or all online services. When it comes to users under 30, this figure rises to 73%.

Do you use different passwords for different services?

18 - 29 year old Carried out by Bilendi GmbH on behalf of WEB.DE

24%

55%

63%

6% 10%

5% 3%

60% Yes, an individual password for each service

Sometimes the same password for several services

No, the same password for all services

I don’t know/No answer

thus Apple enjoys greater user trust. At the same time, all three

providers are shifting the problem to central accounts, be it Face-

book, Apple or Google. Because in the end these accounts are also

password-protected.

In addition, it is not possible to fully identify users via this method.

The social media giants lack the final proof of identity which can

only be provided by service providers who identify their users in a

lawful manner and then securely link the information to an authen-

tication process. They are then able to link each authentication to

the identity behind it. Solutions exist which meet these high secu-

rity requirements.

For 20 years, technology has allowed identification and authen-

tication to be encoded asymmetrically via a private and a public

key. The secure infrastructure described below which is used for this

purpose relies on a certification authority (CA) which verifies public

keys and issues digital certificates for these. The key pair is usually

generated on the device or smartcard of the user. The private key

always stays with the user, while the public counterpart which has

been signed by the CA is submitted to the service for which they are

registering. For the authentication, the service provider then sends

the user a calculation which they can only solve if they possess the

private key. Only the service with the matching public counterpart

which has sent the request is able to check the solution.

Processes such as ‘Identity management’ and ‘Postident’ in Germa-

ny or BankID in Sweden are state-regulated identity

verifications. Regulators recognise them as equivalent to identifica-

tion through personal presence. These processes must fulfil specific

regulations in the relevant countries in order to be accepted as

secure by the government. For example, in Germany, the identifica-

tion must be carried out by service provider employees who are in

access-protected rooms. Additional requirements include – among

many others – uninterrupted video identifications in real time and

adequate image and sound quality.

PKI (public/private key infrastructure)

5

PKI key pair

User interaction – web service and PKI

User

User

Web service PKI

PKI

They central security element of the public/private key infrastruc-

ture is therefore the private key. The security provider only issues it

in a protected environment. This may be, for example, a protected

hardware sector in an iPhone. They sign the public key with a cer-

tificate authority (CA). As with the SSL certificate of a website, the

certificate is verifiable for any outsider and is generally issued for

the email address of the user. The authenticity, confidentiality and

integrity of messages are thus guaranteed.

If the issuer of the certificate has checked and verified the identity

of the user, the user can use it to sign documents in accordance

with signature legislation. The digital signature thus replaces the

‘wet’ signature.

Authentication response Identity verification

Authentication request Identity request

Registration with PUBLIC KEY

Issuance of a PUBLIC/PRIVATE key pair

1

2 4

3 5

6

PKI in practice With clearly and lawfully identified customers, data centres and

smartcards, banks have the ideal conditions to work in this busi-

ness field.

Despite these options, banks have not yet recognised the market

for themselves. In Germany, the Sparkasse trustcenter, S-Trust, has

now completely ceased its business operations for end customers.

All banks are currently considering how to implement the strong

authentication required in the PSD2. However, the institutes quite

literally have the key in their hands. Bank cards, generally giro-

cards, also offer the advantage that almost everyone has one with

them at all tim