Monday, December 19, 2011

Need for a Central Multi-Factor Authentication as a Service

Today there is a need for a safe and secure authentication system. The current methods of authentication - user ID & Password combination is inadequate and does not offer any security. Already, every user is forced to remember multiple log-in ID and passwords for several on line items - e-mail (Gmail, Hotmail, Yahoo & Office), Social Networks (Linkedin, Twitter, Facebook, & corporate Intranet social networks), Banking, e-Serivices, Internet retail etc. As the number of web services increases, users are finding it tough to remember and maintain all their passwords.

Once cloud computing becomes popular, the number of web sites that need authentication will explode. I already have half a dozen of cloud service sites for which I need to remember by login Ids and password. (Office365, Zoho, Dropbox, Google docs, MegaCloud, Salesforce.com)

Today, every online user has at least 12+ web based services which need a log in authentication services and this number is about to explode.

On the other hand as the number of services that need user authentication increases, the online security is being increasingly compromised. World wide over, hackers are getting even bolder - sitting in safe havens, they hack into secure sites such as Citi Bank, HSBC, etc. Even RSA's servers were hacked.

All this points to a need for a safe and secure and centralized multi-factor authentication as a service offering.

Current gold standard for authentication - RSA's two factor authentication is on its last legs. RSA servers was hacked into in March 2011, and several of its internal secrets were stolen. RSA acknowledged that the hackers went after its Intellectual Property and source codes - but stopped short of reveling the extent of the theft. (see http://www.wired.com/threatlevel/2011/03/rsa-hacked/)

All this indicates that the Two factor authentication - Private key, public key can be broken in near future.

Authentication system today

Today, there is no central authentication system. To an extent, Google and Facebook provide a public authentication service, but this is too weak and is unsecured. So users are forced to remember multiple log-in ID/Passwords for each of the service they use.

LDAP falls way short of the requirement as it does not support multi-part authentication. Kerberos & X.509 supports multi-part authentication - but does not scale for a global web based authentication service. Kerberos was introduced in 2000 and follows DES encryption, which is not suffecient for the cloud era. In addition, Kerberos suffers a major drawback as it needs a clock synchronization - which is not practical in a global web based authentication service.

Need of the hour

There is a need for a safe, secure and single authentication service. The authentication service will be on a cloud and offers Authentication as a global service. The central authentication service can be multi-tiered:
1. A basic authentication service for basic web services - such as log-in to public web sites
2. Geographic authentication service - which provides basic authentication along with locational information for accessing personal information on Internet - such as social network or emails.
3. High security & Encrypted authentication service for eCommerce, Net banking and other high value services. The authentication system can generate encryption keys to encrypt all transactions between the user and the service provider. Thus provide a safe & secure web transactions

The authentication service validates several aspects of the user and confirms the Internet user is really the person who claims he/she is. The authentication service will validate and verify the following:

1. Identity of the person - Age, Sex, Address, etc.
2. Validate the privileges the person is entitled for a particular web service.
3. Provide a history of services the user has used in the past. This will require the web services to update the anuthentication service with user history.

The authentication service may or may not provide personal information to web service providers - based on what the individual user's wish. If a person does not wish to reveal his age to a web service provider, then the web service provider can only check if the user is of legal age or not, and such a service will be provided by the authentication service system.

The authentication system incorporates one or more Unique identification services - such as Unique Identification Authority of India (UIDAI), or Social Security Number etc to establish the person's identity.

The central authentication service can also provide information regarding the user rights - i.e., tell the web service - the extent/level of rights the user has on the system. I.e., the authenticated user has clearances for a given set of functions. This information can be used by the web services to designate the level of authorization for the user and set the user privileges accordingly.

The multi-part authentication service can use:

1. A 6-10 character Private key -only the user knows it
2. User BioMetric or A Unique ID code which is not in human readable format.
3. Dynamic Public Key like RSA FOB or a software FOB system

This multi-part authentication service will be more secure than anything in use today. Creating a 3 part authentication system will provide security against hackers - as the possibility of hacking an individual's ID will be impossible - given the Zillion+ possible combinations - which will make it immune for brute attacks.

The multi-part authentication system will be several time more secure than the current 3DES or AES256 standards

Creating a centralized authentication as a service will enable pooling of resources to create a better identity management and security system as a service. This service will provide the first level of security for all Internet transactions - between user and service providers, and also between various service providers.

Ideally, there can be multiple authentication service providers providing a choice for customers.

Closing Thoughts

There is a need for a safe and secure authentication system. The current methods of authentication - user ID & Password combination is inadequate & broken. As the world moves towards Web/Cloud based services - the need for a strong Identity management, authentication & security system becomes a vital building block for a safe and secure Internet.

In this article, I have just touched upon the basic idea of such a service. The business model and the operational details are yet to be developed.

No comments: