Authentication trends for 2015


Thought I'd take a stab at what will be happening in the user authentication space this coming year:

  • Hackers will increasingly use trojans such as Citadel to target the master passwords for consumer password management applications like 1Password and LastPass. That will cause big problems for users who are successfully victimized because many of their passwords, not just one at a time, will now be compromised.
  • Hackers will also continue to attack token and SMS-based one-time password systems that are used for online banking, breaking into more bank accounts and increasing pressure on banks to retire this now-obsolete technology in favor of more secure, next-generation methods that are strengthened with features like device fingerprinting, transaction verification, and behavioral analytics.
  • More companies will have their employee and customer password databases stolen and uploaded onto public torrent sites as part of high-profile cyber attacks, as happened to Sony Pictures in 2014.
  • Heavyweights in the financial services, e-commerce, and electronics industries such as Visa, MasterCard, Google, Samsung, Microsoft, and others will start moving their customers off of passwords and onto biometric authentication, aided by the new FIDO Alliance UAF and U2F standards published in December 2014, and following the lead of trendsetters like Apple, which featured fingerprint biometrics in its new smartphone and tablet releases, and heartbeat biometrics in the new Apple Watch.
  • Emerging authentication technology companies will make a strong push to get their products to market and grow their user base. Companies to watch include ThreatMetrix, YubiKey, Entersekt and Nok Nok Labs, as well as the 200+ early stage startups in this space.

(This post originally appeared as an answer on Quora)

Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

Authentication startup AnchorID wins Finovate Best-in-Show


New York startup AnchorID has garnered the Best-in-Show award at Finovate Fall, which just wrapped up in New York. There, the company demonstrated its consumer authentication technology for websites and mobile apps, which is purportedly set to launch any time now (Fall of 2014, according to the company website). AnchorID is tackling the notorious multiple password management problem, following in the footsteps of companies like AgileBits and Dashlane. AnchorID looks to improve on these earlier-generation consumer SSO offerings by completely eliminating passwords - providing secure access to both websites and mobile apps via a proprietary smartphone app, and by letting the user choose which type of authentication token he or she wants to use. The explanatory video lists fingerprint and voice biometrics, PINs, and a simple Yes/No button - that is, proceed with the login or not - as options. The user has to pick a single user name (their "Universal Username"). Again, no passwords are involved - so the authentication factors are the user's Universal Username, the app/smartphone combination (presumably including some level of device identification), and the token value (biometric, yes/no, etc.) as selected by the user. The company says they don't gather any personal data about the user. Integration to the target website or mobile app is via AnchorID's API.

AnchorID was founded in January 2014 and, according to Crunchbase, has received two rounds of angel funding totaling US $510,000. They're coming into an extremely crowded and noisy market, so success will depend as much on execution as on their technology.

Congratulations to AnchorID on making Best-in-Show!

iPhone 6 Touch ID has already been hacked


That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)

Alipay gives some serious market cred to Nok Nok Labs and the FIDO standard


Nok Nok Labs has announced that Alipay will use Nok Nok's NNL S3 Authentication Suite to authenticate payment users on future versions of the Samsung Galaxy S5. The NNL S3 technology will provide access to the Alipay Wallet application via the Galaxy S5's fingerprint sensor (which I hope that Samsung has fixed by now). That's a major win for both Nok Nok Labs, a Silicon Valley startup in business since November, 2011 - and for the FIDO Alliance, of which Nok Nok Labs is a founding member. FIDO is an industry consortium, launched in 2013, that provides a standard implementation framework for "post-password" authentication. Its stated mission is to get rid of passwords as the world's default authentication method, and replace them with something more secure, standardized, and suited to the emerging, multichannel IoT world. NNL S3 is a FIDO-compliant authentication management platform for operation by service providers (including enterprises), that's technically agnostic to the endpoint form of authentication. So it supports not only fingerprint biometrics, as with the Galaxy S5, but also voice biometrics, face biometrics, secure elements, trusted platform modules, removable tokens, and others (of which there are many).

I think the announcement wasn't timed real well, as it was completely overshadowed by the Apple Pay launch a couple of days earlier. However, this is also a very significant step in the global evolution of mobile payments. Alipay, often referred to as "China's PayPal" (although it's more appropriate now to say that PayPal is America's Alipay), has an existing mobile user base of 100 million, and 80 percent of China's mobile payments market share. And with Samsung commanding 12 percent of the smartphone market in China, we're talking millions and millions of users out of the gate for the new Galaxy S5. As sexy as Apple Pay is, Apple and its posse of partners have some way to go before they get anywhere close to Alipay's market weight.

Via The Paypers (sic)