Earlier in the month our Chief Crypto Officer, Dr Michael Scott, shared his thoughts on the Trust Me model. Today he highlights an example where this works and considers its draw backs. Passwords are past their sell by date, we know that, but what is the alternative. Don’t be fooled into using personal data as your password replacement. It won’t end well.
Many authentication companies have sought to promote their solution as passwordless. Indeed, it would not be an understatement to say that they are on a (commendable) mission to do away with passwords. And, as you well know, this is something here at MIRACL we champion. Passwords are outdated and have definitely past their sell by date.
The FIDO alliance has been part of the move away from passwords and their framework provides a solution that we have written at length on. There are however a number of organisations that have joined the FIDO alliance (some as far back as 2016), but don’t appear to be using the technology framework in their products. Instead they follow what we have labelled the ‘Trust-Me’ model described in my last blog; https://miracl.com/blog/perils-of-trust-me-authentication-part-1-of-2/
One example of what we classify as a ‘Trust-Me’ passwordless solution is Trusona. They offer two levels of authentication, Trusona Essential and Trusona Executive. But have they really eliminated the risk of attack?
Trusona’s basic option makes good use of the modern Smartphone. Possession of such a phone already provides at least two factors for an authentication scheme. You need a PIN or a biometric to activate the phone. You need to have the phone itself as the “something you possess” factor. Leveraging mobile phone possession as an aid to authentication is a well-known technique. We would all be familiar with SMS One-Time-Password (OTP) authentication where a website backend pushes out a 6-digit OTP to your phone which you then need to enter back into the website.
Or you can turn this around and the website shows you an OTP and gets you to enter it on a Smartphone app, which the app communicates to its servers which, in turn, pass it back to the website, which then lets you in. The potentially tedious process of copying the OTP to the phone is made simpler by the website presenting the OTP along with other data as a QR code, which your phone takes a snap of. This is how the Essential option works and is a widely used technique.
As with any ‘Trust-Me’ scheme, they also have complete access to your accounts, they know a lot about you, and ultimately, if they are hacked, you are hacked.
An important step is the transmission of a “trusonafication” to your phone. This is a challenge that must evoke the correct response in order to get you authenticated. With Essential all that is required is a simple click on a button (proving possession of the device).
For the Executive version, something more elaborate is required.
Here the client uses their mobile phone to photograph the bar code on the back of their driver’s license. These driver’s license details are already on file, placed there during the registration process. If that which was photographed matches that which is stored, you get authenticated.
Does that sound vaguely familiar? Well it should because it’s a case of “Passwords are dead – Long Live Passwords!” Only now instead of a password being an otherwise valueless nonsense word, it’s your driver’s license ID. If/When the Trusona password file gets hacked, the hacker gets access not only to your password, but gets your driver’s license ID, which I bet you would rather not be widely known.
The Threat of Phishing Attacks
One of the big problems with Username/Password is that it is wide open to a phishing attack. A plausible looking clone website that looks like the real website, gets you to enter your password, which you have just given away to the bad-guys. More generally any scheme which involves the simple handing over of credentials, is vulnerable to such a devastating phishing attack, also known as a replay attack. The attacker captures your credentials and simply plays them back any time he wants to gain access to your service.
The MIRACL Way
Now the way to prevent replay/phishing attacks is to use a scheme where the credentials are involved in such a way that every authentication is different, and therefore cannot be replayed. This involves two things, random number generation and a zero-knowledge proof. Randomisation so that every authentication effort is different, and zero-knowledge proof so that whereas the credential itself is involved in the authentication protocol, it is never revealed (and hence cannot be phished). This is the MIRACL way.
But first let me tell you a (true) story…
Once upon a time there was a start-up that came up with a brilliant idea to kill email spam. The idea was as simple as it was ingenious. Any email identified as spam would have its 20-byte hash, its unique fingerprint, stored in a central database. If you signed up for the service you got to flag any spam that got through, and your incoming emails were automatically hashed and compared against the global database. If there was match, the email was deleted. In no time at all, all spam would be identified, and suppressed. The start-up got millions in investment, spent lavishly, and planned their early retirement.
Of course it didn’t work out like that. Within a month spammers were appending some recipient-specific random bytes to the end of their emails, which made each hash different, and the start-up went bust. A cautionary tale, the moral of which is that people should think a little more deeply before adopting gee-whizz ideas.
Which brings me back to Trusona. They seem to be aware that randomisation is necessary to prevent replay attacks (but not aware of the importance of zero-knowledge). As well as the password (drivers license ID), they also harvest information from the phone about its precise state at the moment the photograph of the license was taken. Mobile phones provide a lot of that stuff from the multiple sensors they host. For example, you got accelerometers, GPS data etc. The idea is that this state offers some kind of randomisation, so that every authentication will be different. This state information is processed down to a “nonce” which is sent along with the photo of the driver’s license ID. The idea is simple (history repeats…); if exactly the same nonce appeared in a previous authentication attempt, then this is a replay attack.
Which means a few things. First, they have to store every previous authentication nonce so that they can make such a comparison. That’s a lot of storage per client. Second, you are now giving up even more information about your mobile phone than you bargained for. Thirdly, you are making the fatal mistake of thinking that hackers are not smart enough to figure out how to tweak a previous nonce they have captured so that it is “different” enough to bypass the security.
Is the nonce hashed? Well it may be, or parts of it may be, the Trusona patent covers all of the bases. Hash it and you do keep the raw data private, but the hacker can simply replace it with a random hash and you will never spot the difference. Don’t hash it and the attacker will figure out exactly how to tweak it to make it different, and you just gave up some private information. Some components may also be “sealed”, a mysterious and vaguely described process which seems to involve encrypting some of the data. But of course this would require encryption and decryption keys to be issued and managed, and no such method is described. It appears to be no more than a light additional layer of obfuscation, with encryption keys “hidden” in the source code.
Trusona is, in our opinion, a classic ‘Trust-Me’ product. Caveat Emptor. Except now instead of typing in your password you get to photograph it.
To find out more about zero-knowledge proof MIRACL Trust authentication – which doesn’t use passwords and doesn’t store credentials of any kind – explore www.miracl.com or follow on social media: Twitter @MIRACL | LinkedIn MIRACL
Dr Michael Scott is Chief Crypto Officer at MIRACL, one of the pioneers of Pairing-based Cryptography and the “S” in the widely used BLS and KSS families of elliptic curves. Following a distinguished career of almost 30 years at Dublin City University and an active consultant to both public and private sector, his unmatched depth in knowledge is drawn not only from his academic expertise - he’s published over 100 highly cited papers – but his genuine love of cryptography and the science behind this.