identity

In the last few days there was another hack. 45 million accounts stolen, weak cyphers and decrypted passwords. With Linkedin, MySpace (discovered after years!), Adobe, VK and too many others, according to website haveibeenpwned.com we are above 1 BILLION accounts stolen. It is a real, really big problem. There’s something simply not working with all of this. And I’m just tired of hearing “Never user the same password on different accounts”, it is just plain crazy to have to remember something like 200 passwords, one for every account I have. Moreover, nowadays every fucking website wants you to create an account, and you cannot use their service without it.

Well, let’s start from here.

Why do you need an account? A fairly general reason is to assure that you are allowed to use the service. Maybe you have to pay, or maybe, like in a blog, only few or one person can access a management console. What’s the general rule? YOU HAVE TO IDENTIFY YOURSELF. User and password is a simple way to prove to the website that is really you that is trying to access that reserved area. The concept at the bases is the identity.

How can you prove your identity? Remember, the process to prove an identity implies that there’s someone else besides you, that this someone knows something about you, and that this something is sufficient to prove that you is really you.

Philosophically, as I found in information technology studies, there are only 3 ways to prove it: show something you know, show something you have, show something you are. This is the base, from here we can build up.

Just as an example, imagine for a moment an old world, a world before the digital era. Imagine, let’s say, a military camp in times of war. A messenger comes in, he says he’s bringing new orders from the general. How can the commander of the camp be sure that he is really a messenger and not an enemy spy, bringing false orders? Well, one way could be a set of words, or phrases, chosen before the separation of the two contingent, kept well guarded, known only to the commanders and the messengers. It’s not very foolproof, a man could be captured and tortured to say that password – something the messenger knows. Another way is to show the message: it should be sealed with the unique seal and maybe wax of the general. The symbol of the seal must be well known and difficult to reproduce; moreover the handwriting and the sign could be used if they are well known – something the messenger has. One last way, to be way more sure, is to find someone in the camp that recognizes the messenger, maybe someone that served with him in another camp – something he is.

These are just three examples; maybe it could happen something else, but it will inevitably fall within one (or more) of these three categories. A savvy commander would probably prefer to have all three proofs, if possible.

Let’s come back to our dangerous digital era, and access to Facebook. First thing, you write your username, that is who you claim you are. Now you have to prove that is really you trying to access, so you enter your very difficult password. You are writing something you know. Then you remember that you’re at work, so to start working you have to log to the corporate network plugging in your PC your security token  – something you have. You have to go to the bathroom, so you lock your PC; when you come back, to unlock it you use Windows Hello, a facial recognition system – something you are.

In the military camp example I introduced another concept: the trusted third party. It is the soldier who knows the messenger. Let’s expand with another example: like in the best movies, a New York criminal wants to trade drugs. He has to buy it from some Chinese mafia member that he doesn’t know and doesn’t trust. What does he do? He contacts a local politician that knows both – and obviously can reassure both parts that they aren’t police under cover or something else. The important part for this article is that the New York criminal trusts the politician, and that the politician knows the chinese.

Coming again in our incredibly dangerous digital world, we do (or better, the browser does) the same as above when we visit an HTTPS website. We don’t know if PayPal website is really PayPal and not some phishing attempt, but Symantec, a well known and trusted antivirus producer and certification authority, says that it is really PayPal, and we trust them.

Now we have a general view of all the basic concepts on how to prove our identity. Passwords in today’s world are largely the most used method, basically because it is very simple to implement and because it can be managed only on the website side: there’s no need for special devices to read fingerprints or cards and card readers. There are a lot of other reasons, I’ll talk about them in the next article. Anyway, when we go to into the web, a password it is also most easily broken by persons – or programs – that pretends to be you.

 

MORE IN DEPTH

  • https://www.cs.cornell.edu/courses/cs513/2005fa/nnlauthpeople.html
  • http://www.csoonline.com/article/2976884/data-protection/maybe-it-s-time-to-eliminate-something-you-know-as-an-authentication-method.html
  • http://security.stackexchange.com/questions/69195/why-is-something-you-know-the-weakest-factor-of-authentication