In recent years, we have been hearing of numerous ‘Login ID’ and ‘Password’ related data breaches involving popular websites and other online services. It is also likely that your application credentials are listed in a massive file that is floating around in the Dark Web. These can lead to “Loss of Trust” with customers. Loss of Trust leads to ‘Loss of Brand Loyalty’ and eventually results in ’Loss of Business’.
Lets us see how these security issues can be encountered. Most of us will obviously come up with a solution toward multi-factor authentication and risk/behavioral authentication. This, apart from being the obvious solution that could pop-up, multi-factor authentication often creates conflict between ‘compliance requirements’ and ‘user convenience’. Ideally, we should be thinking about a solution to fortify the application security - without compensating on user experience.
Present-day Password Management:
1. 99% of websites stores their password on servers (plain, encrypted, hashed etc.)
2. 99% of websites validate password by transmitting (HTTP/HTTPS) it through the network.
Both the above-mentioned practices are vulnerable to data breach either by ‘MITM’ (man-in-the-middle) attack or Data Loss.
NextGen Authentication & Password Management:
1. Not transmitting passwords at all.(either in clear or encrypted form) over the network
2. The password is validated at the client side and not at the server end.
3. PKI Based challenge-response authentication protocol
The above allows us to solve the password breach issues due to MITM, phishing attacks, Brute force attacks and Data leakage. This is simply because passwords are known only to the user and it is validated at the client side.
CA Auth ID + Cryptographic Camouflage
CA Technologies, formerly known as Computer Associates International, provides the Next Generation Authentication which they call ‘CA Auth ID’ offers the same capabilities as a physical smart card for authentication, digital signing, encryption, and decryption for PKI-enabled applications, without requiring any end-user hardware. The CA Auth ID can authenticate to any web application without changing the user experience. User submits their usual Login ID and password as usual and behind the scene, it is PKI Based Challenge Response Authentication which does the major chunk of work.
The CA Auth ID is a standard ‘X.509 v3 digital certificate’ that is saved on an end user computer, USB drive, or downloaded remotely for secure on-demand authentication. Unlike the simple password, a CA Auth ID is not vulnerable to brute force password attacks. It is also not vulnerable to man-in-middle attacks, which, in turn, protects users from phishing attacks.
The CA Auth ID is based on industry standards and CA-patented Cryptographic Camouflage technology to provide software-only, strong authentication that is protected against brute force attacks.
Although a CA Auth ID digital certificate is password protected (Password is known only to the user), it supports the following features to provide strong authentication:
• Only the correct password can access a CA Auth ID digital certificate.
• A plausible response is generated for every CA Auth ID password that is entered, even if it is incorrect. As a result, preventing offline identification of the CA Auth ID password is not easy.
• The CA Auth ID authentication is a challenge-response authentication protocol, which ensures the user password is only used locally and that it is never transmitted or verified at the server end.
• Repeated incorrect CA Auth ID password entries locks out CA Auth ID depending on the maximum authentication attempts configured.
• CA Auth IDs can only be used online, which means the user must connect to CA Strong Authentication Server to validate their CA Auth ID password.
With less complexity of user experience, ‘CA Auth ID’ can be harnessed in the authentication process of any web application more securely and avoid password breaches.
Authored By - Saravanan Sivaraman
TCS Cyber Security Practice