There have been recent articles about hacking attacks on session cookies. They point out a growing but not a very new concern. Where instead of trying to break in via the authentication process, the online attacker focuses on the already authenticated user. Why? Because the authenticated user is now managed by the access layer of the online service and you no longer need to worry about authentication at the perimeter.
So what happens when a user is authenticated? After authentication a user is often issued with an access token(s). Essentially these tokens tell the platform what session a user has been authenticated into. Now the platform can decide how it manages that session. IE how long it gives that user access for without having to re-authenticate and what services they have the rights to use.
It’s pretty easy to see what happens now. If an attacker can steal those access tokens, they can pretend to be the authenticated user. Certain anti-fraud measures can try to combat this, for instance by rejecting the user if there are sudden IP changes, or if you see the same access tokens used for two different connections simultaneously. Unfortunately, not every platform has those capabilities and even if they do, they are often probabilistic assessments of risk rather than deterministic events and subject to a high degree of uncertainty - AKA false negatives or false positives.
Is it a concern? Sure as dammit it is! It’s become such an issue that organisations such as New Jersey’s Department of Gaming Enforcement have been mandating things such as session lengths and re-authentication of users for many years and recently updated those rules in June of this year. The European Banking Authority introduced PSD2 in 2016 making transaction authentication a standard requirement for certain at-risk payments.
This is also one of the reasons there is a growing interest in the “Zero Trust Security Model” where the adage is “never trust, always verify”.
The concept is simple: we can no longer rely on the strong perimeter and need to ensure that the persons inside our walls have the right to be there in the first place. The best way to do that is to re-authenticate whenever a user touches on sensitive information, or initiates any actions. Unfortunately, that’s where the problems start.
Can you imagine having to re-authenticate with an SMS One Time Passcode or Authenticator TOTP, every time you accessed a directory, launched an application, changed your personal details or even searched a database? It would cripple an enterprise and destroy an online consumer service – friction, and failure, are the enemy for both the enterprise and commerce.
The obvious answer is that you need to minimise user friction, increase the authentication speed and ensure it works 100% of the time under all circumstances. Without that, Zero Trust Security will rely on probabilistic defences and unproven technologies like continuous behaviour biometrics, which is another interesting topic. We can talk about that at some later date. 😊
Of course MIRACL Trust, being the world’s fastest Authentication, coupled with the world’s highest authentication success rate, and able to run on any device - sounds sort of ideal, doesn’t it?