Sponsored by Computop
Navigating Secure Authentication Across the Wild West of the Internet
Remaining secure while benefiting from all the Internet has to offer is what we, as consumers, seek. Which is why secure identification and authentication are increasingly vital. The transfer of sensitive data, including payment transactions, must be performed with as little risk as possible to protect not just customers, but service providers too, against the theft and misuse of valuable information.
The combination of user name and password is comparatively insecure and alternative, more sophisticated methods are competing for the best positions on the market. We have yet to see the solid establishment of a standardised and generally accepted system for secure identification and authentication, but in the meantime, it’s important to understand the landscape.
identification and authentication
These terms are often used synonymously, but they describe two different processes. Identification is when a person proves their identity to an authority or entity to which they were previously unknown. This occurs, for example, via conventional registration with an email address and password, which is sufficient for many services. For more sensitive applications such as payment transactions or banking, on the other hand, there are more sophisticated identification processes. These use significantly more complex methods to check whether a person corresponds to the identity he or she claims to have.
Authentication, conversely, involves recognition. After a user has identified themselves and registered, they must log in and for this and all subsequent uses, be authenticated. The usual pairing of user name and password entered during registration are typically used for this purpose.
However, this method has long been criticised because compared to other processes, it is relatively insecure – particularly when the user’s email address also serves as the username. In addition, many customers consider password management to be tedious which means that instead of using complex letter and number combinations they resort to an easily memorable code based on birth dates or family names. Unsurprisingly this is easy to crack and presents a high security risk. But there are alternative ways to achieve a higher level of security.
Identification and authentication can be encoded asymmetrically via a private and a public key. This relies on a certification authority (CA) which verifies public keys and issues digital certificates for them. The key pair is usually generated on the device or smartcard of the user. The private key always stays with the user, while the public counterpart, which has been signed by the CA, is submitted to the service for which they are registering. For authentication, the service provider sends the user a calculation which they can only solve if they possess the private key - this is the central security element. Only the service with the matching public counterpart which has sent the request is able to check the solution.
To reduce password reliance, the FIDO Alliance (Fast IDentity Online) is establishing public and licence-free industry standards for global online authentication. Like PKI, FIDO uses a pair comprising a public and a private key. However, the duo is generated through the FIDO authenticator, a protected software area in the user device, and this supports user verification which takes place every time the key is used, for example via biometric methods such as iris or fingerprint scans.
FIDO & PSD2
The revised Payment Services Directive (PSD2) aims to make electronic payments in Europe more convenient and secure by requiring stronger authentication. To this end, it must manage at least two of the following three factors:
- Knowledge: Information that only the user knows (e.g. password).
- Possession: Something that only the user owns (e.g. smartphone).
- Inherence: Something that is a personal or physical aspect of the user (e.g. fingerprint)
FIDO enables secure authentication without passwords. A separate key pair exists in the FIDO authenticator for every service to which a user logs in. The authenticator represents the factor of possession. A smartphone combines it with the factors of knowledge or inherence. The FIDO authenticator builds on this as it can only be activated via a PIN, fingerprint sensor or facial recognition. Computop’s FIDO solution will enable merchants to provide their customers with a biometric login to their webshop account but also to authenticate their payment in a safe and quick process that will be beneficial for the shopping experience. It is important to note that biometric data is stored in a highly encrypted secure element on the customer’s device and is never handed over to the service provider.
PSPs like Computop have to be prepared for the challenges that the future presents. However, development on the market shows one thing clearly: the reign of passwords is coming to an end.