Archives for posts with tag: authentication

A few days ago I talked about how to fix TLS by ditching certificates and using public keys sent by the websites themselves to authenticate them. That proposal attracted quite some criticism. I realised I didn’t explain the idea very well. So here is an update, to address the comments and to explain the idea better and more precise. Read the original post for some more context and background.

Read the rest of this entry »

TLS secures the connection between your browser and the websites you visit (and a lot of other Internet connections that do not involve either a browser or a web server). TLS should provide confidentiality (so nobody can steal your passwords or see which webpages you are visiting), integrity (so nobody can modify the transactions you send to your bank) and authenticity. When properly used, TLS provides the first two guarantees, but it is increasingly becoming apparent that it fails to provide the latter: authenticity. The use of certificates (and the poor understanding of what authenticity on the web really means) is to blame.

(Note: I wrote an update to clarify and improve the idea, based on comments I received.)

Read the rest of this entry »

Most of the popular cloud systems are insecure. The recent hack of celebrity accounts, and the subsequent release of nude pictures clearly demonstrate this once again. The problem is that most cloud systems rely on passwords to restrict access to an account. The reason is usability: it allows the account to be accessed from any device. To make this really usable, an easy to remember password needs to be selected. Unfortunately, such passwords can be guessed by brute forced. Of course this can be prevented, for example by restricting the number of times one is allowed to enter a wrong password. But then account recovery strategies, that allow legitimate users to regain access to their account if they forget their password, provide a second avenue of attack.

In other words: user-friendliness kills security. Can this be fixed somehow?

Read the rest of this entry »

Today at the IFIP Information Security and Privacy 2014 conference, Nathan Clarke talked about active authentication. The goal of active authentication is to continuously estimate the confidence that the owner of a smart phone is actually using it at this very moment. This is an interesting idea, that I’d like to discuss a little bit in this blog post.
Read the rest of this entry »

ubikima-logotest02Even though they are insecure, passwords are still the main form of authentication available on the web. There are several reasons for this. Users are used to passwords, and trust them. Teaching them to use something new requires time and effort. If users don’t see the benefit of a new system, they will continue using passwords. Services have been using passwords for ages. Using a different method requires a significant effort (in terms of time and other resources). Moreover, authentication systems form a two-sided market with cross side effects. This creates the chicken-egg dilemma that users will not migrate to a form of authentication that is not offered by a significant number of services, and services will not offer a new authentication method if no users use it.

The challenge is to break this vicious cycle. And UbiKiMa aims to achieve just that.

Read the rest of this entry »

Today I read an interesting paper by Marian Harbach and colleagues from the University of Hannover. They have studied the factors that influence the acceptance of new methods authentication online. In particular, they have studied user attitudes towards using the new German electronic identity card (nPA) as a replacement for username/password based authentication online. This is highly relevant for our own work on IRMA, a platform for authentication based on attribute based credentials.

Read the rest of this entry »

Following the discussion at the Radboud University on the future of authenticating websites, I lead a similar discussion at TNO. This again lead to many remarks and suggestions, many of which were also raised in Nijmegen. But a few new observations were made as well.

Read the rest of this entry »