Authentication and Whitepaper Authentication · PDF file Factor) and UAF (Universal...
Embed Size (px)
Transcript of Authentication and Whitepaper Authentication · PDF file Factor) and UAF (Universal...
Authentication and identification
The difference between identification and authentication 3
PKI (public/private key infrastructure) 4
Authentication with FIDO 7
Identity providers with potential 10
Security on the internet is one of the biggest issues of our time. Owing to the increasing
amount of digitisation in all areas of life, secure identification and authentication are
becoming more and more important. Particularly the transfer of sensitive data such as
payment transactions must be performed with as little risk as possible in order to protect
service providers and service users against the theft and misuse of valuable information.
While personal ID cards are recognised as a reliable identification medium in the ana-
logue world, the uncharted digital territory feels almost like the wild west. The established
combination of user name and password is comparatively insecure and the alternative,
more sophisticated methods are competing for the best positions on the market. While
many companies, initiatives and even the government are working on solutions, a stan-
dardised and generally accepted system for secure identification and authentication has
yet to be established.
Ralf Gladis Co-founder and CEO
Many people use both terms synonymously, but they describe two
different processes. Identification is when a person proves their
identity to an authority or entity to which they were previously
unknown. This occurs, for example, via conventional registration
with an email address and password, which is sufficient for many
services. For more sensitive applications such as payment transac-
tions or banking, on the other hand, there are more sophisticated
identification processes such as Postident and WebID. These use
significantly more complex methods to check whether a person cor-
responds to the identity he or she claims to have.
Authentication, on the other hand, involves recognition. After a
user has identified themselves and registered, they must then log
in. For this and all subsequent uses, they must be authenticated.
The usual pairing of user name and password entered during the
registration are typically used for this purpose.
However, this method has been the focus of criticism for years. In
contrast to other processes, it is relatively insecure – particularly
when the user’s email address serves as the user name as well. It is
often known by a large group of people, thus weakening the level
of security. In addition, many customers consider password man-
agement to be a tedious annoyance. As a result, instead of using
complex letter and number combinations (ideally a different one
for each portal), they often use an easily memorable code based
on birth dates or family names, often comprising just a few char-
acters. This type of weak password protection is easy to crack, thus
presenting a high security risk.
Alternatives include social-login solutions provided by sites such
as Facebook, Twitter, LinkedIn or Google once the user has regis-
tered. The advantage of this is that in contrast to user name and
password combinations, website operators do not store the log-in
data on their servers. Instead, the authentication is performed via
the plug-in of the relevant site. This means that criminals can only
steal the login information directly from the login solution provider
and have to hack the social media account. Many platforms offer
an optional two-factor authentication via mobile phone number.
This would make them significantly more secure than with just one
password or with access via a password manager. However, many
users do not take advantage of this option either due to conve-
nience reasons or because they are wary of giving the sites their
mobile numbers. Security is not enhanced by this behavior, but
data scandals, especially the ones Facebook has been involved in,
have made users cautious. Apple’s newly introduced solution, “Sign
In with Apple”, addresses this problem and focuses on user privacy.
Unlike Facebook and Google, the company’s business model means
that it is not dependent on trading in specific user information,
The difference between identification and authentication
Too careless with passwords: 61% of German internet users use the same password for several or all online services. When it comes to users under 30, this figure rises to 73%.
Do you use different passwords for different services?
18 - 29 year old Carried out by Bilendi GmbH on behalf of WEB.DE
60% Yes, an individual password for each service
Sometimes the same password for several services
No, the same password for all services
I don’t know/No answer
thus Apple enjoys greater user trust. At the same time, all three
providers are shifting the problem to central accounts, be it Face-
book, Apple or Google. Because in the end these accounts are also
In addition, it is not possible to fully identify users via this method.
The social media giants lack the final proof of identity which can
only be provided by service providers who identify their users in a
lawful manner and then securely link the information to an authen-
tication process. They are then able to link each authentication to
the identity behind it. Solutions exist which meet these high secu-
For 20 years, technology has allowed identification and authen-
tication to be encoded asymmetrically via a private and a public
key. The secure infrastructure described below which is used for this
purpose relies on a certification authority (CA) which verifies public
keys and issues digital certificates for these. The key pair is usually
generated on the device or smartcard of the user. The private key
always stays with the user, while the public counterpart which has
been signed by the CA is submitted to the service for which they are
registering. For the authentication, the service provider then sends
the user a calculation which they can only solve if they possess the
private key. Only the service with the matching public counterpart
which has sent the request is able to check the solution.
Processes such as ‘Identity management’ and ‘Postident’ in Germa-
ny or BankID in Sweden are state-regulated identity
verifications. Regulators recognise them as equivalent to identifica-
tion through personal presence. These processes must fulfil specific
regulations in the relevant countries in order to be accepted as
secure by the government. For example, in Germany, the identifica-
tion must be carried out by service provider employees who are in
access-protected rooms. Additional requirements include – among
many others – uninterrupted video identifications in real time and
adequate image and sound quality.
PKI (public/private key infrastructure)
PKI key pair
User interaction – web service and PKI
Web service PKI
They central security element of the public/private key infrastruc-
ture is therefore the private key. The security provider only issues it
in a protected environment. This may be, for example, a protected
hardware sector in an iPhone. They sign the public key with a cer-
tificate authority (CA). As with the SSL certificate of a website, the
certificate is verifiable for any outsider and is generally issued for
the email address of the user. The authenticity, confidentiality and
integrity of messages are thus guaranteed.
If the issuer of the certificate has checked and verified the identity
of the user, the user can use it to sign documents in accordance
with signature legislation. The digital signature thus replaces the
Authentication response Identity verification
Authentication request Identity request
Registration with PUBLIC KEY
Issuance of a PUBLIC/PRIVATE key pair
PKI in practice With clearly and lawfully identified customers, data centres and
smartcards, banks have the ideal conditions to work in this busi-
Despite these options, banks have not yet recognised the market
for themselves. In Germany, the Sparkasse trustcenter, S-Trust, has
now completely ceased its business operations for end customers.
All banks are currently considering how to implement the strong
authentication required in the PSD2. However, the institutes quite
literally have the key in their hands. Bank cards, generally giro-
cards, also offer the advantage that almost everyone has one with
them at all tim