Community News Security Trust and identity

Passwords, P9ssw0rds, Pa55w0rd5!

By Carolina Fernandez, Jordi Guijarro and Shuaib Siddiqui, i2cat Foundation

Introduction of IdP environment in the context of identity security

eduGAIN, pioneered and supported by GÉANT,  interconnects research and education identity federations around the world. It enables the trustworthy exchange of information between service providers and Research & Education (R&E) institutions or other Identity Providers (IdPs) where more than 2600 identity providers access services from 1900 Service Providers (SPs). But, what about authentication and end users’ security?

Challenges of IdPs in authentication methods

The different authentication methods can be categorised according to the type of challenge:

  1. Something known to the user, like a password, recovery questions or identifiers;
  2. Something owned by the user, like a card or access device; and
  3. something that is part of the user, as physical traits (biometrics) or behavioural patterns.

The most common authentication method is still the password, although there are many other techniques, like Public Key Infrastructure (PKI) and Multi-Factor Authentication (MFA) which have also been widely adopted and are currently used consistently.

FreeOTP+ Android app providing a TOTP

Where PKI is used as a password-less alternative technique (e.g., using directly the issued X.509 certificates in a browser or device, or simply as a sort of smart card), MFA adds a layer of security to the original authentication method (typically a password). MFA sends a challenge that is used to validate one’s identity, such as simple approvals (like “magic links” or “push notifications”), tokens like One-Time Password (OTP) or a Time-Based One-Time Password (TOTP); which are provided by dedicated hardware or via authenticator-like mobile applications.

Other techniques aim to identify individual traits, such as the face (face/iris/fingerprint recognition) or behavioural patterns (the gait or the voice, but also individual patterns on interaction with a device, like typing on a keyboard, moving a mouse, etc). Extending on the latter pattern identification, the continuous authentication [BEHCA] performs an ongoing validation of the user’s identity in conjunction with machine learning, e.g., for online proctoring systems [SMWPS] where students are continuously monitored via their webcam and the system looks for suspicious behaviours. Continued authentication also takes place in applications that continuously request authentication tokens to their back-ends to keep long-term sessions, instead of periodically requesting users to authenticate themselves.

Strengths and weaknesses analysis and recommendations

Evaluating the security of an authentication method will consider multiple factors, like its adoption by the general public, its technical foundation and the challenges posed to attackers. The more widespread a technique, the simpler it is to bypass it, and more widespread and attractive it will be for attackers.

In the case of e-mail accounts only protected by password, once attackers gain access, they can change passwords for related password-protected accounts, or even reuse the same password. This is the most common attack and can occur through password guessing (brute force), social engineering or phishing techniques. Other methods, like MFA, add an extra challenge. The incidence of attacks related to MFA currently represents less than 0.1% [MTE19] of the total attacks, which can use the above techniques, as well as interception or impersonation (e.g., SIM-Swap attacks) to obtain the targeted user’s recovery devices (such as phones), or just simulate/duplicate it. Some authentication methods based on biometric attributes, such as face or voice, can be bypassed by generating synthetically faked footage (deepfakes) using neural networks and target selected individuals.

Thinking about our users, there are online tools to review the security of a given password (PassProtect) or to identify possible disclosures of a password related to a given account (Have I Been Pwned?). Privacy and security-led communities also share online resources, such as how-to-use guides on recommended tools and best configurations to secure communications [EFT20] and improve end-user privacy.

Future challenges of the authentication methods

There is a compromise between the security of a system and the user experience it provides. The configuration of such system will push the scale towards one or another factor, for instance making a more secure connection at the cost of a less comfortable and more frequent authentication (as in services operating with sensitive data); or the opposite, where the authentication policies are loosely defined and stay stored in the device “long enough” (as in social networks), keeping the user identified at the cost of allowing a third party, if the device is compromised. Depending on the type of authentication, the end-user should be instructed to take extra protection measures, such as protecting their phone.

Depending on the above and on the risks inherent to each authentication method, the Identity and Service Providers can take different measures, for instance:

  1. Coordinating themselves to implement similar authentication processes (such as the AARC project, following the same authentication and authorisation on similar architecture and policies) or performing inter-federation to others via eduGAIN;
  2. Following a coordinated response after an incident strikes, as defined in the SIRTIFI response framework; and
  3. For internal dissemination of the best practices in security (as in some of the resources provided by GÉANT Learning & Development Knowledge Hub).

IdPs and SPs should as well instruct their end-users to take extra precautions, like sharing best practices on password definition and management, on how to protect the device used for MFA, logging out when in a shared environment to further mitigate the risk of accessing SSO-protected resources, etc.

Conclusions

As widely known, passwords alone are an easy spot to attack. Therefore, for an end-user it is best to combine it with other types of challenges (e.g. TOTP, as part of MFA) or use other protocols and interfaces that allow further control, like disabling or enabling accounts [LATCH] to alleviate such risk.

From an organisational point of view, the adoption of MFA, the consideration of the common pitfalls on the available authentication methods [GLDPA], as well as internal coordination between affected services should greatly help reducing the impact of attacks and possibly improve the user experience. A specific example of cooperation in federated organisations is the SIRTFI initiative, which aims at a coordinated, decentralised approach to tackle security incidents among the involved participants. Another important point to consider, before mitigation, is the continuous internal learning by IdP operators (at the level of National and Regional RENs) following reference best practices and the communication between interconnected organisations.


References

GLAD: How to avoid common pitfalls on authentication methods, https://www.youtube.com/watch?v=BH03dRWGP2g&list=PLELuOn8jN3IKtR40qezwfzlP5BIMPYKF6&index=5
GÉANT Learning and Development: Knowledge hub, https://learning.geant.org/knowledge-hub/
The Security Incident Response Trust Framework for Federated Identify, https://refeds.org/sirtfi
The security switch for the digital life, https://latch.elevenpaths.com/
What is Continuous Authentication and Why Does it Matter?, https://www.behaviosec.com/what-is-continuous-authentication-and-why-does-it-matter/
Large-scale SIM swap fraud, https://securelist.com/large-scale-sim-swap-fraud/90353/
All your creds are belong to us!, https://techcommunity.microsoft.com/t5/azure-active-directory-identity/all-your-creds-are-belong-to-us/ba-p/855124
Bye Bye Passwords: New Ways to Authenticate, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3y9UJ
Online Proctoring by SMOWL, https://smowl.net/en/proctoring-software-smowl/
Pass Protect browser plug-in, https://www.passprotect.io
Have I Been Pwned?, https://haveibeenpwned.com
Surveillance self-defense: tool guides, https://ssd.eff.org/en/module-categories/tool-guides
The AARC project blueprint, https://aarc-project.eu/
The eduGAIN project, https://edugain.org/


About the authors

Carolina Fernández (carolina.fernandez@i2cat.net), holds a Computer Science Engineering degree from the Autonomous University of Barcelona (UAB, 2011). Her research interest areas include Next Generation Software-Defined Networking and Network Function Virtualisation where cloud, automation, virtualisation and sometimes security techniques are applied. She has participated in the technical implementation of +10 research projects in multiple frameworks (e.g., FP7, H2020, GÉANT FPA) as well as in some open calls and private projects, by working on the design, architecture, development and operation of hardware infrastructures and management software stacks.

Jordi Guijarro (jordi.guijarro@i2cat.net), Cybersecurity Innovation Manager at i2CAT (http://www.i2cat.net), Internet Research Centre, Jordi has Computer Science Engineering degree from the Open University of Catalonia (UOC) and Master in ICT management from Ramon Llull University (URL). Expert in cloud and cybersecurity services, Jordi managed CERT/CSIRT teams employing proactive, reactive and value-added security services. He has also participated in EU FP7/H2020 Research & Innovation Projects and collaborates with UPC, UOC and VIU as an associate.

Shuaib Siddiqui (shuaib.siddiqui@i2cat.net), Shuaib Siddiqui has 10+ years experience working in the academic, research and industry of ICT sector. At present, he is a senior researcher at i2CAT Foundation where he is also the Area Manager for Software Networks research lab. Since he joined i2CAT Foundation in 2015, he has been active in 5G related projects (under H2020) on the topics of control, management, & orchestration platforms based on SDN/NFV, network slicing, and NFV/SDN security. He holds a Ph.D. in Computer Science from Technical University of Catalonia (UPC) (Spain), M.Sc. in Communication Systems (2007) from École Polytechnique Fédérale de Lausanne (EPFL), Switzerland, and B.Sc. in Computer Engineering (2004) from King Fahd University of Petroleum & Minerals (KFUPM), Saudi Arabia.


Read more on the GÉANT Cyber Security Month 2020: https://connect.geant.org/csm2020