In the past decades more and more information systems are being deployed in the cloud and the necessity to correctly and accurately relate the digital owner of the information stored in those systems, with a physical human, increases. How do we manage in information systems to accurate make this relation? And which is the risk of these assumptions? I invite you to keep reading this post in order to have a brief introduction to the current mechanism accepted by the ecosystem and how we have experienced with them at Octobot 🐙.
In information security ecosystem 🛡️ there is a common agreement in a set of categories were you can classify most, if not all, the authenticator factors that the system being developed will use to correctly identify users.
Nowadays, most systems use a combination of authentication factors from different categories in order to reduce the uncertainty in the identification process of users implemented by the system.
The categories agreed are the following:
Something you know
These factors are the most frequently used in information systems. The strength of this mechanism is based on the secret known by the user and how is it stored (some people still use post it 🤦♂️ for this, please don’t). The more common types in this category are Passwords , which consist of a supposedly secret string that the user should memorize and enter into the corresponding system immediately after the identification process, which is usually resolved using a username.
Nowadays, there is a trend to deprecate the use of passwords with special character types and start using passphrases, this recommendation came to light for example in the NIST SP 800-63b.
Passphrases are long strings formed by multiple words. From our experience, this is a good practice since passphrases are easily remembered by the users,avoiding them to write them down in the wrong place, and preventing dictionary attacks.
Another type of factors that belong to this category are for example ATM PINs and secret questions.
Something you have
These kinds of factors are the ones that imply a possession of some sort by the user. For example, it can be a mobile phone, token generators, electronic id cards, and more. Below, we will briefly explain the most common types inside this category.
This kind of factors work by generating codes that are used in a similar way as passwords, with the difference that are composed solely by numbers. These codes are generated by a piece of software that can reside in different devices.
There are some differences to consider when making a decision between SMS and TOTP/HOTP tokens. SMS tokens implies that every time a user tries to login into a system, they receive a text message with the one time password to input in the login process. This means that this OTP is generated in the system and then sent through an insecure channel to the user. In contrast, HOTP/TOTP factors use a seed to synchronize the system and the client the first time. Usually, the user scans a QR code (seed) using a mobile app and then OTPs are generated only on client side, the only thing that user does, is input that code on the login form of the system when prompted. This avoids the transmission of secret information through insecure channels and gives the user full control of its authentication factor.
This type of tokens also work generating one time passwords or codes but the logic to generate them is embedded in hardware, thus making them hard to copy without breaking the device. There are two types of hard tokens, connected devices, which usually need to be plugged using USB with the client computer, or disconnected, which means they work independently of the client’s computer.
This kind is mostly used by countries nowadays to identify its citizens and give them an authentication factor to access digital services provided by the government or private organizations. Electronic IDs are smart cards that have a hardware embedded cryptographic chip were a pair of RSA keys are saved and used to perform cryptographic operations for example digitally sign documents. The private key can’t be retrieved from the smart card without breaking the device. This basically means that for example every person of a country can have it’s own unique pair of cryptographic keys to perform digital operations, so cool! 😎
One important thing to mention is that this type can be seen as an hibrid factor since in the practice works in a similar way as bank debit cards. For example, if a user wants to perform a sign operation using its private key, the smart card will request the user to input a pin, so they are forced to memorize a secret (Something you Know).
In Octobot we had the experience of integrating Uruguayan SSO federation system with the electronic IDs of the country in order to allow citizens to use their digital IDs as authentication factor in the SSO system and digitally sign documents.
Something you are
This type of factors are associated with the human characteristics of the user and usually are biometrics methods, such as fingerprint,iris,face and voice recognition.
For the past two years, we have been working with AGESIC (Agencia de Gobierno Electrónico y Sociedad de la Información), the National Agency for e-government and information society of Uruguay, on developing a Single Sign On federated system with the purpose of allowing Uruguayan citizens access multiple digital services with only one account.
The main purpose of this project is to provide different identity levels for the users, they depend mainly on two things: the factors you have associated to your account and the one used during the authentication process, depending on the positioning of the digital identification in these two dimensions, a certain identity level is defined by the SSO System, and is delivered to the service providers that interact with it, so they can have this input for they business logic of the services provided. This identity level matrix is defined by Uruguayan Regulation of digital identification, were four levels of digital identification are defined depending on the dimensions aforementioned.
In order to comply with the Uruguayan regulation we integrated the following authentication factors in the SSO System:
User and Password : the most common authentication factor was implemented from the beginning. For this factor, we follow the guidelines provided by NIST SP 800-63b helping the user to use choose passphrases instead of common passwords. In order to implement this, we develop a password widget that guides the user in the password definition to follow rules provided by the aforementioned guidelines. Also, the passwords are checked against a blacklist to avoid the use of common known passwords.
Electronic ID : As we already mentioned Uruguay started providing Electronic IDs for the citizens in 2015. This authentication mechanism has several security advantages, such as: highly difficult to tamper, guarantee the citizen identity and repudiation. These advantages are provided mainly by having a pair of RSA keys were the private key can’t be extracted from the smart card of the electronic ID and the public is hand over on request. This allows every cardholder to have a digital way of replacing the traditional signature, this is a highly secure mechanism to use and guarantee the highest identity level when used.
OTP : We developed OTP authentication factor implementing TOTP protocol in the SSO system, this factor is very common nowadays and has a mix of flexibility and security that makes it simple for the users to adopt. Using this as an additional factor to a password that follows good practices against dictionary attacks, will allow the user to reach up to the level two of identification. In case the user decides to enable this factor but it doesn’t have an app in it’s mobile phone he/she can decide to receive a token by email in order to solve this challenge.
As you may already know the strength or level of you, digital user, in IDUruguay is based on the strength of the factors chosen, and the combination of them that are associated to your digital account. The challenges for the future are to continue adding new authentication factors, and perhaps include an inherent one which is the category that hasn’t been tackled yet.