Escalating IT Security Threats

User Identification

Three categories may be considered including anonymous, standard and strong identification.

Anonymous service requires no identifion at all.

Standard, or ‘normal’, identification may be based on what the requestor knows, such as a password, or bears such as a physical security token. Such a token may include password-generating device, a list of one-time passwords, a smart card and a reader, or a one-time password transmitted to a mobile terminal.

Strong identification may be based on a biometric property of a user, such as a fingerprint, retina or voice recognition.
It can also be a security token the transfer of which between persons is difficult, such as a mobile terminal including a PKI certificate installed requiring a PIN code upon each instance of use.

Authentication Methods

Network service –related authentication, how a user proves his/her identity, may be implemented on four levels, including unnecessary, weak, strongish, and strong method. Strongish authentication, being stronger than weak, thus resides between the weak and strong options.

If the user may remain anonymous, authentication is unnecessary.

Weak authentication may refer to the use of single standard category identification such as user ID/password pair.

Instead, strongish authentication may apply at least two standard identification measures utilizing different techniques.

With strong authentication, at least one of the identification measures must be strong.

Access Control

In pull methods, a user may first identify oneself anonymously to a network service providing a login screen in return. The user may then type in the user ID and a corresponding password, whereupon he/she may directly access the service or be funneled into the subsequent authentication phase.
In push methods, a network server may first transmit information to the e-mail address of the user in order to authorize accessing the service. Preferably only the user knows the password of the e-mail account in question.

Known Problems

Notwithstanding the various advancements in user and service identification, authentication, and related secure data transfer, some defects still remain.

  • The users are often reluctant to manually manage a plurality of user IDs and corresponding passwords for convenience reasons. As a result, they may utilize the very same user ID and/or password in multiple services and/or use rather obvious and thus easy-to-crack words, numbers or expressions as passwords. Cross-account password re-use is practically impossible to prevent by password policy settings.
  • Any password management is toothless against growing number of vendors who revert to phishing, social engineering or shoulder-surfing.
  • Even if the access control management systems require using a strong password, i.e. hard-to-remember password, a risk that the user writes the password down increases considerably and the authentication level turns ultimately weak.
  • The utilization of a password is typically enabled by access control management that may store the password locally. If the security of the local workstation is later jeopardized, third parties, man-in-the-browser, may harvest the passwords stored therein.
  • Using passwords for identification requires also that passwords are stored and kept in a remote server repositories. Almost routine leaking of millions of passwords means that even encrypted passwords can be resolved effectively by using dictionary attacks on cracker's local hardware.
  • If the user forgets the password or it has to be changed for some other reason, actions have to be taken by the user and optionally service provider. The user has also to memorize the new password.
  • The adoption of a personal, network service-specific token such as a smartcard, and a related reader device may require intensive training.
  • The increase in the use of smart cards correspondingly raises the risk of thefts and provision of replacement cards. In case the personal tokens apply a common (distributed) secure algorithm, the theft of such algorithm would cause tremendous security issues and trigger massive physical update operations regarding the associated elements such as tokens in order to recover at least part of the original security.
  • Cloud virtual-desktop services may be regularly, e.g. daily, utilized by a user, the nowadays available access control procedures, especially identification and authentication solutions applied upon logging in to a service, are typically either inadequate in terms of the achieved data security or awkward from the standpoint of usability with reference to the aforesaid lengthy and strong, i.e. complex and thus hard-to-remember, passwords