Disclaimer: Let me start by saying that I know any change to the way we authenticate users is a massive undertaking. No part of what I’m suggesting in this article will be ‘easy’, it all comes with complications, but I believe it is a viable next step and worth every bit of the challenge.
In Short
Username and password authentication is broken. As far as I know, everyone in the security field agrees. Adding multi-factor options is a good band-aid, but it’s not a fix and doesn’t address things like password re-use and the problems with security questions (that I outline HERE).
I believe that one approach we could take to fixing user authentication is to use certificates. Currently, the way certificates are issued and managed is too complex for every user, so changes would need to be made, but I believe it can be done and would result in a much more secure internet overall.
Biometrics could play a role in a new authentication method to unlock local data, but contrary to what some believe, you would not be sending a simple hash or copy of a fingerprint to a system to authenticate. Such a design, where every system we log into has our fingerprint, is prone to all sorts of problems. Not the least of which is the inability to change the credential over time.
The certificate system, while too complex to easily be used for user authentication currently, does address all the issues that we need to address when it comes to user authentication and I believe it would only take a few changes to work – not an entirely new certificate design. I believe that certificates themselves, as they exist today, can be used as I envision by building credential managers that can handle managing certificates and updating browsers to allow for the new method.
If the system I describe below was the norm, I believe it would be the end of phishing, most keylogging, and breach related issues all at once. Current password managers are pretty good at dealing with these things as well, but at times they create a frustrating user experience and they can’t do anything to change how website owners store your credentials.
In Depth
Right up front I’ll say that I do recognize that parts of what I’m proposing could come with costs and complexity that could ruin the idea if the wrong people are leading. A non-profit group, preferably an open source community driven group, should build this system so that the end result gives everyone a free way to participate.
To make this approach viable, it would have to start with password managers. I’m a LastPass user and promoter currently, but every password manager (including the built-in browser ones) would need to support certificate based authentication in order for this approach to ultimately take over. The complexities of managing certificates would have to be completely automated so that everyone from the tech newbie to the experts could use it.
Password managers – renamed to credential managers – would have to be capable of grabbing certificate downloads during credential creation, installing certificates into the browser, removing certificates from the browser, and replicating certificates between devices – all with minimal interaction on the part of the end user. This would need to include not just PCs, but phones and tablets as well. It would be better for the credential managers to maintain the certificate store and present the certificate to the website themselves, but I don’t know enough about certificate implementation to know if that’s possible. If it is possible for a browser add-on to present a certificate instead of the browser presenting it, then adoption of this new approach wouldn’t rely on cooperation from the browsers. If add-ons can currently manipulate the certificate store then it also wouldn’t require cooperation from the browsers.
After credential managers would come the certificate authorities. There is already a thriving market for SSL certificates that a great many websites already rely on, and every day more sites are getting on board the SSL train. Let’s Encrypt has begun to revolutionize the certificate space (my domain uses their automated certificate system) and if you haven’t heard of them and you run a web server, go check them out now: https://letsencrypt.org/
You can get a website SSL certificate for free or anywhere from $40 to several thousand per year depending on the type of certificate you get and which certificate authority you choose. I’m sure they’d charge for a new Auth Master Cert, but that cost should be lobbied to stay minimal, even free with possible feature limits. I envision a similar situation to what we have now with website certificates where all of the certificate authorities that currently sell certificates would charge for an Auth Master Cert, and the ones that are free now would provide free Auth Master Certs. These certs would use an email address as the validation piece so control of the email address would have to be proven to get a cert issued tied to that email address.
This new Auth Master Cert would need to be able to sign an unlimited number of other certificates because it would be used to create a unique certificate for every system that a user would have previously created a password for.
I don’t think the cost issue will be a big problem as long as the non-profit group that leads the charge sets the tone well. Along with providing free Auth Master Certs, doing things like establishing that any system that participates is required to honor all registered certificate authorities, running the registry for Auth Master Cert authorities, requiring revocation checking, establishing standards for certificate escrow, and other things that I haven’t thought of – I believe this group could make sure things stay reasonable.
Once certificate authorities can issue these new certificates easily, and credential managers have the ability to manage certificates, then websites can start the transition. The process on the website side would be to replace the password selection step with a certificate generation step. The user’s Auth Master Cert is used to create a system specific certificate and those public and private parts are saved. The user experience would consist of nothing more than clicking a button to import the certificate, the credential manager picks that up and confirms that the certificate was received and imported. From that moment on, any visit to that site confirms the certificate with the credential manager in the background. Ideally, the user would never even have to click on a log in button. Maybe a single confirmation to use the certificate on the first visit each day.
We will still have to authenticate with the credential manager. This can still be done with a password and two factor/biometrics – although a pass phrase of 15 characters or more should be enforced along with time outs to help prevent another user of that same workstation or device using credentials that aren’t theirs. This aspect is not a new or overly dangerous issue in my opinion. Today, if a user visits eBay and logs in and then walks away from the workstation, anyone else walking by can sit down and act under their account. Many websites already have login time outs and the method of authentication would not need to change any of that. Logging out of the credential manager, locking the workstation, automatic timeouts, or even using a personal physical token are all things that could be enforced, encouraged, or left up to the user.
The local security of a physical workstation is outside the scope of this article, although a complete transition to this new approach could make a logged in workstation a more valuable target, so some thought should be devoted to protecting this attack surface as best we can. Currently, if a user logs into 3 websites and then walks away, leaving the workstation open for anonymous use, those 3 websites are open to misuse. With the new certificate based approach, every website in the database could be visited and misused if the local workstation is compromised. I believe we can mitigate that risk with timeout and other logic though.
Maybe in addition to timeouts, we allow for a quick access PIN. When the user creates their passphrase, they also choose a quick access PIN. The user starts their day by logging into their credential manager. After login, for 15 min they can browse websites without any further prompting. The credential manager uses their certificate when needed and the user is able to visit every site they have credentials stored for without issue. At the 15 min mark however, the credential manager prompts for the quick access PIN as a way to verify that the right user is still in control. These prompts would only occur if a website requests a certificate of course, so if the user switches to playing a game or working in some local app, they would not get bugged for a PIN. The credential manager should be able to recognize when a browser was in the background or out of focus to prevent things like AJAX calls and auto-refreshes from causing never-ending prompts.
Each website could decide how often it authenticates. Some sites, like forum sites, may only request authentication upon initial login and during posts. Other sites, like financial sites or security related sites might authenticate with every page. Sites may also have a default behavior that could then be modified with ‘remember me’ type settings. Each website would have to create their own set of policies to protect their users appropriately much like they do now.
One aspect of this new system isn’t new for people who use password managers today, but would be new for everyone else, and that’s credential escrow. A model like Lastpass where user data is encrypted locally and then stored on their servers makes sense to me but having the option to store your data on a thumb drive would be appreciated by some. This aspect of the system could be the hardest to work out if completely free options are to be common. In a perfect world, trustworthy free repositories would exist and every credential manager could interact with every repository and the user would only have to log in and their data would be found and downloaded and decrypted locally without the user having to specify a repository.
This brings things around to the point of all of this. Each website being in control of their own security is what has put us in the position we are in now, where security online is a joke and a great many people are made victims by the actions (or lack of actions) of a few. With this certificate model however, a massive shift in security can happen.
With a certificate based authentication system, users can revoke their Auth Master Cert at any time and every credential they have will become invalid. The next time they visit a site, a re-auth process would launch based on the revoked certificate.
Currently, every website is a target for attack. From a pet or garden forum to the biggest banks and government sites. Mostly though, the smaller sites are targets purely for the purpose of collecting credentials to then be used elsewhere. A hacker will attack a pet forum website and collect a list of thousands of email address/password pairs (and security questions) that they then attempt to use on social network sites and financial sites. If only everyone used a unique password on every site, this would no longer be a viable attack. If everyone uses a unique certificate for every site, then that would be the end of these attacks.
Personally, I have a personal quest to get as many people as I can using password managers and creating random passwords – but in the bigger picture, that quest is really a lost cause. The vast majority of users will continue to use the same password (or set of a few passwords) on every site as long as they’re allowed to. Additionally, websites will continue to be lax with their own security and breaches will leak our information including passwords and security questions. Making the transition to this certificate approach has the happy side effect of creating a unique credential for every website without the user having to come up with it. Thus, completely solving password re-use and all of the problems that come along with it.
Imagine a website with completely certificate based authentication. They still might have weak security and a breach could still occur. The hacker will get credentials that only work on that one site and nowhere else. If that was the established norm, then there would no longer be any benefit in attacking any site that doesn’t store financial or identity information. I can’t honestly claim a percentage here, but I wouldn’t be surprised if that meant 90% or more of the internet would suddenly become completely uninteresting to hackers. There would still be mischief, we do live in a broken world with teenagers and skilled hackers, but there would be a dramatic decline in the hacking of everyday websites.
I’m sure there are technical challenges with using user certificates that I haven’t considered, but I also believe that we could overcome these challenges and that we SHOULD overcome them for the pursuit of a more secure internet. Maybe the way something works today doesn’t allow for this idea – but that doesn’t mean that it has to continue to work that way. We should commit to making changes with online authentication, it’s about time!