Advanced Persistent Threats in Digital Identity
Hitoshi Kokumai
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
You may have heard this disturbing news report - Chinese hacker group caught bypassing 2FA - Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.
We were amazed by the capability of those cyber attack forces, which might possibly be backed up by huge budgets and irresistible means to bribe and threaten the insiders of target organizations.
Well, we could make meaningful contributions in such areas as (1) preventing the compromise of an OTP token from affecting the overall security of 2F authentication, (2) preventing the OTP token from getting compromised in the first place and (3) preventing the inside jobs.
Below are the conclusions that we reached.
1. Our proposition of the simplest quasi-2F authentication could help.
We could consider an extremely simple quasi-two-factor authentication made of a remembered password (what we remember) and a memo/storage with a long password written/stored on (what we possess), which we can use right away at no cost.
If properly hashed, the resulting high-entropy hashed value can stand fierce brute force attacks. Theft/copy of the memo/storage alone would not affect when the remembered password is unknown to the criminals.
Furthermore, ‘Image-to-Password Converter cum Entropy Amplifier’ software could be considered for better balance of security and convenience at a higher level when Expanded Password System becomes readily available. The ‘Image-to-Password Converter cum Entropy Amplifier’ software can be offered as a plug-in module either for the server or the user’s device.
These schemes are closely explained in the "Proposition on How to Build Sustainable Digital Identity Platform" selected as a finalist for ‘FDATA Global Open Finance Summit & Awards 2019’
2. Our proposition of 2-channel authentication could help.
With our 2-channel scheme, the onetime code can be recovered and sent to the server only by the legitimate user who retains the secret credential in their brain.
Further details are provided in this slide “2-Channel Authentication with No Physical Tokens and No SMS” for the specifics.
It is also referred to as a powerful phishing deterrent in “Targeted/Spear Phishing and Expanded Password System”
By the way, this 2-channel scheme is not just a concept, but was actually implemented in the real world for corporate use.
3. Our proposition of Authority-Distributed Authentication could help.
With this scheme, an encryption key gets reproduced by any combination of 3 registered operators and gets eliminated after operation as outlined in this slide “On-the-fly Key Generation from Our Memory”. It would be extremely hard to quietly bribe or threaten 3 people at a time
Again, this scheme is not just a concept but the prototype software proved to work.
Conclusion
We are confident that we could make significant contributions to mitigating these 3 problems of
preventing the compromise of an OTP token from affecting the overall security of 2F authentication,
preventing the OTP token from getting compromised in the first place
and
preventing the inside jobs.
?Key References
For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)
“Impact of Episodic Memory on DigitalIdentity”
Digital Identity for Global Citizens
What We Know for Certain about Authentication Factors
Summary and Brief History — Expanded Password System
Proposition on How to Build Sustainable Digital Identity Platform
Additional References
External Body Features Viewed as ‘What We Are’
History, Current Status and Future Scenarios of Expanded Password System
Update: Questions and Answers — Expanded Password System and Related Issues (30/June/2020)
Bizarre Theory of Password-less Authentication
Removal of Passwords and Its Security Effect
Negative Security Effect of Biometrics Deployed in Cyberspace
< Videos on YouTube>
Slide: Outline of Expanded Password System (3minutes 2seconds)
Digital Identity for Global Citizens (10minutes — narrated)
Demo: Simplified Operation on Smartphone for consumers (1m41s)
Demo: High-Security Operation on PC for managers (4m28s)
Demo: Simple capture and registration of pictures by users (1m26s)
Slide: Biometrics in Cyber Space — “below-one” factor authentication
< Media Articles Published in 2020 >
Digital Identity — Anything Used Correctly Is Useful https://www.valuewalk.com/2020/05/digital-identity-biometrics-use/
‘Easy-to-Remember’ is one thing ‘Hard-to-Forget’ is another https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-another/
Identity Assurance And Teleworking In Pandemic https://www.informationsecuritybuzz.com/articles/identity-assurance-and
Program lead (Cyber Security) at Infosys Ltd
5 年This is truly shocking on two fronts! a) It will dissuade adoption of 2FA among the less 'tech savvy' - when it should be encouraged in general...? b) reading the article it claims that the OTP seed is not signed by the device rather the device presence is merely 'tested for' (and subsequently spoofed) by the OTP generation process! I feel there is more contained in this story that is not fully explained. Why has RSA not moved to refute/fix the problem? - has anybody seen anything in the wider technical press? Similar has happened before: https://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/ ? At best, it appears that RSA is a little unlucky?
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Digital Identity, Biometrics Limit, 3D Education | Linux Trainer | Writer | Podcast Host
5 年Hitoshi Kokumai?All the three solutions are feasible, and practical, and as you wrote, are already tested. Unless the tech community get rid of the hype induced 'password killing' efforts, there would be more such incidents of breaches of digital identities around the globe.