We often find ourselves in situations where we are faced with a mission and, as the mission goes on, we realise that the first choices we made were not good. At that point, we have two options: start over from scratch or make up for that poor decision making with extra work and effort.
The Internet Was Created in an Unsecured Way
This is a phrase that you will surely have heard from cyber security professionals at some point. This exciting change that the digital transformation has meant, one of the most drastic in the history of humanity, has always been built on things that had not been done before. Along the way, we have made choices that have sometimes proved to be wrong. But, as we said before, we find ourselves in the situation where we cannot “reset” the Internet and start from scratch.
One of those bad choices we’ve been making since the beginning of the Internet is identity management, or in other words, how a system knows who is the user using it. For example, who is the person accessing their email and how is it different from another individual. Traditionally this has been based on the use of passwords, which only the user in question should (I must repeat this: should) know. But, either because of the security of the systems themselves (where the password can be intercepted or stolen both on the network and on the device where it is used) or because the user does not make a responsible use of them, this system has proved to be extremely fragile.
The User: The Weakest Link in The Chain
This point is extremely easy to check: just take a walk through the “underground” channels of Telegram or the Deep Web (or Dark Net) to see how many premium service accounts are for sale: Netflix, Spotify, PrimeVideo, Twitch Gaming and almost any other type. It is logical to infer that these low-cost and unexpired accounts have been stolen from other users whose credentials, and therefore identity, management can clearly be improved, either in the online service or in their personal use.
Prestigious studies on the subject, such as Forrester’s The Identity And Access Management Playbook for 2020, warn us that 81% of security breaches are caused by a weak, stolen or default password. This happens for a multitude of reasons, both because of the user’s responsibility and because of defects in the design or implementation of security.
To a large extent, this is due to the user’s ignorance or lack of zeal, who thinks that no one can be interested in violating his security as a private user. This has a much greater impact when the user’s identity is the gateway to a larger entity such as a company or organisation. So much so that, currently, it has proved to be the weakest link in the chain: a user vulnerable to cyberattacks makes a company vulnerable. This can be caused, for example, by using a password that is too easy to guess, too common or reused on more than one site or online service.
I also recommend reading this other article on the proper use of passwords. For these inappropriate uses of passwords, cybercriminals have designed techniques which we will talk about in the second part of this series of articles. So, in order not to delegate that trust to the end user, cyber security companies like ElevenPaths strive to avoid this type of risk to users, by designing products and services that add an additional layer of security to the traditional and obsolete user/password pair. In addition to including innovative improvements to identity services that we will also discuss in part 3 of this series of articles.
SmartPattern: The Path to Robust Identity Management
So, where is the challenge? In being able to develop technology that guarantees that extra layer of security without harming the user experience and without forcing the user to learn or adapt to a new identification system. We call robust identity or level 3 authentication:
- Something you have: for example, a physical device or card.
- Something you know: for example, a pin or password.
- Something you are: for example, your fingerprint.
So, as a culmination and, in a way, a spoiler of where this journey of digital transformation is taking us in terms of identity management, we will put forward an example of robust identity management that is both convenient and usable by the common user of technology: SmartPattern.
SmartPattern is a new concept in the process of robust authentication, as well as in the authorisation and signature of documents through a simple mobile pattern gesture, which can be used in any smartphone, tablet or touchpad laptop as an identity service.
In other words, the user does not need to remember or save hundreds of passwords, but simply remember a single pattern for all online services, whereby the service uses a machine learning engine that is capable of detecting unique features in the route, which even if intentionally shown to another user, will fail in 96% of cases. We were able to verify this in a field study at the University of Piraeus, Greece.
Thanks to its versatility, SmartPattern can be integrated with a multitude of authentication and authorisation services. For example, logging in and/or authorizing a banking transaction, as we have already demonstrated in Nevele Bank’s demo portal: a bank without passwords!
The SmartPattern website offers more information on this subject but let this innovative and advanced element show that the path to a secure identity will have many more avenues beyond the well-known duplicates that we have hitherto considered secure.
This is all for the moment. In the next part we will talk about cybercrime and the market for stolen credentials that continues to grow, both on the Deep Web and on underground Telegram channels.