Identity

Authentication trends for 2015

Access

Thought I'd take a stab at what will be happening in the user authentication space this coming year:

  • Hackers will increasingly use trojans such as Citadel to target the master passwords for consumer password management applications like 1Password and LastPass. That will cause big problems for users who are successfully victimized because many of their passwords, not just one at a time, will now be compromised.
  • Hackers will also continue to attack token and SMS-based one-time password systems that are used for online banking, breaking into more bank accounts and increasing pressure on banks to retire this now-obsolete technology in favor of more secure, next-generation methods that are strengthened with features like device fingerprinting, transaction verification, and behavioral analytics.
  • More companies will have their employee and customer password databases stolen and uploaded onto public torrent sites as part of high-profile cyber attacks, as happened to Sony Pictures in 2014.
  • Heavyweights in the financial services, e-commerce, and electronics industries such as Visa, MasterCard, Google, Samsung, Microsoft, and others will start moving their customers off of passwords and onto biometric authentication, aided by the new FIDO Alliance UAF and U2F standards published in December 2014, and following the lead of trendsetters like Apple, which featured fingerprint biometrics in its new smartphone and tablet releases, and heartbeat biometrics in the new Apple Watch.
  • Emerging authentication technology companies will make a strong push to get their products to market and grow their user base. Companies to watch include ThreatMetrix, YubiKey, Entersekt and Nok Nok Labs, as well as the 200+ early stage startups in this space.

(This post originally appeared as an answer on Quora)

Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

Authentication startup AnchorID wins Finovate Best-in-Show

anchor-ID-logo

New York startup AnchorID has garnered the Best-in-Show award at Finovate Fall, which just wrapped up in New York. There, the company demonstrated its consumer authentication technology for websites and mobile apps, which is purportedly set to launch any time now (Fall of 2014, according to the company website). AnchorID is tackling the notorious multiple password management problem, following in the footsteps of companies like AgileBits and Dashlane. AnchorID looks to improve on these earlier-generation consumer SSO offerings by completely eliminating passwords - providing secure access to both websites and mobile apps via a proprietary smartphone app, and by letting the user choose which type of authentication token he or she wants to use. The explanatory video lists fingerprint and voice biometrics, PINs, and a simple Yes/No button - that is, proceed with the login or not - as options. The user has to pick a single user name (their "Universal Username"). Again, no passwords are involved - so the authentication factors are the user's Universal Username, the app/smartphone combination (presumably including some level of device identification), and the token value (biometric, yes/no, etc.) as selected by the user. The company says they don't gather any personal data about the user. Integration to the target website or mobile app is via AnchorID's API.

AnchorID was founded in January 2014 and, according to Crunchbase, has received two rounds of angel funding totaling US $510,000. They're coming into an extremely crowded and noisy market, so success will depend as much on execution as on their technology.

Congratulations to AnchorID on making Best-in-Show!

iPhone 6 Touch ID has already been hacked

TouchID-logo

That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)

Rabobank to sign online banking transactions with VASCO's CrontoSign

crontosign

Rabobank is introducing VASCO's CrontoSign technology to sign online banking transactions. CrontoScan is basically a DIGIPASS token (Vasco's widely used OTP generator that authenticates users at login), with an added camera and new functionality. When the user sets up a transaction during a banking session, the bank server generates a color QR code, which is displayed on the user's computer screen. The QR code is a cryptogram of the intended transaction data. The user takes a picture of this with the camera on the token device. The device then decrypts the QR code and displays the transaction data as entered by the user, on the token device. The technology is claimed to be effective against MITM attacks (no security details are provided, so can't comment on that one way or the other, but it looks like a classic TAN technique) The CrontoScan technology was originally developed by Cronto, a UK startup which Vasco acquired in May, 2013. Cronto still maintains it's own website. The Rabobank version is branded as 'Raboscan'.

Via the Paypers (sic)