The Emperor has no clothes!
Current ways of establishing your digital Identity all seem prudent and sensible
BUT data breaches continue to proliferate - according to IT Governance 1.34 billion data records were exposed in just one month - November 2019.
Fox-IT, a cyber specialist company in the Netherlands, say they found evidence that a group known as APT20, believed to operate on the behest of the Beijing government, has been bypassing RSA SecurID two-factor authentication in a recent wave of attacks. “We have identified victims of this actor in 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech,” its report states.
Major German banks have recently announced plans to drop support for SMS-based one-time passcodes as a login authentication and transaction verification method. This might seem a bit late as US NIST in their Digital Identity Guidelines publications have long regarded Out ...
The Emperor has no clothes!
Current ways of establishing your digital Identity all seem prudent and sensible
BUT data breaches continue to proliferate - according to IT Governance 1.34 billion data records were exposed in just one month - November 2019.
Fox-IT, a cyber specialist company in the Netherlands, say they found evidence that a group known as APT20, believed to operate on the behest of the Beijing government, has been bypassing RSA SecurID two-factor authentication in a recent wave of attacks. “We have identified victims of this actor in 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech,” its report states.
Major German banks have recently announced plans to drop support for SMS-based one-time passcodes as a login authentication and transaction verification method. This might seem a bit late as US NIST in their Digital Identity Guidelines publications have long regarded Out of Band and OTP methods as weak. Added schadenfreude is found from one of the reasons given is that SIM swapping (otherwise known as self provisioning) is being abused!
Authentication products based on User profiling are currently fashionable. These software only techniques that use machine learning and artificial intelligence, have intrinsic flaws. The most permissive usage – usually required by C level executives, become the easiest hacker targets and you need a very available administrative team on call to handle legitimate exceptions. Importantly, there is no detection of compromise.
FIDO fobs and similar variants are designed to remove passwords as they are linked to the URL to be accessed not to the User. If stolen, they continue to work - making an excellent excuse for repudiation of access.
Zero Knowledge methods work as long as the algorithm and data points have not be leaked by the Service provider; if they have been, compromise is undetectable.
In both FIDO and Zero Knowledge methods, since there is no link to specific user, they cannot be immediately suspended and personal usage analytics are not possible.
It is always awkward to say that the Emperor has no clothes but clearly, existing authentication methods, which are essentially based on keeping fixed secrets, are vulnerable and so encourage complicit Users to disclose their secrets knowing they can make plausible excuses.
We have a fully developed product called CASQUE, based on a challenge/response protocol
More information

Employees

Basil Philipsz
Admin
Basil Philipsz CEO Dedicated, Persistent, Open Minded, Curious, Loyal, Persuasive