The user authentication is one of the most important parts for computer security, because every security policy starts with authentication. This authentication should be easy to use, if not users will not use this. So this should be a good compromise.
Parts of authentication security security:
- Registration
- Authentication check
- Recovery These three are the main parts of security.
Some challenges in user authentication
Intermediate principals
A part that we will not cover are the intermediate principals which attach the mean of transmission or intermediate devices used in the transmission. E.g. a key-logger in the client system is enough to compromise the security of the authentication.
User identity
Another problem is the user identity, how to be sure that we are talking with a specific person? With just a password authentication is often quite difficult to have this property. Some websites don’t need to know a lot about user identity, for example Amazon just needs to know your credit card, not about yourself. While others, like institutions, need to know that you are a student, so they need to know something more about you.
Password based authentication
Why use password based?
Password authentication is one of the most used.
Why is that? It is user friendly, and usually convenient. The problem is that they are often easy to steal or to guess, offering no user identity verification, this is usually a problem.
Most of the password on the internet are easy to guess and common names:
Defense strategies
So how can we defend ourselves against these attacks?
- Use the password in few places as possible
- Use single password for a single session (so change password).
- Use a password manager for these!
- Rate limit use.
- augment with second factor authentication.
Rainbow attacks
Usually password are stored with hashes like sha256 on the system. Another thing is that they use a slow hash function, because this would make the attacker very hard to calculate everything (and less side channel attacks). For example bcrypt is a slow one.
Rainbow attack is just -> Calculate hash of many common words -> Compare this hash to the value found in the db.
For this reason we hash with salt See Sicurezza OS#Autenticazione, that is random prefix or postfix saved in clear in the database to hash the password with. Would make rainbow attack much much harder.
Two factor authentication
How 2FA helps?
- Weak passwords are not a problem anymore with 2FA, given if the second method is strong enough.
- Phishing attacks are not more useful, provided if the the attacker can’t break the second method.
Implementation methods
- Just send a SMS with a second code, that could be used within a limited time.
- Time-based OTP for example the authenticator app, gives every moment some passwords, usually calculated as $H(\text{ secret } \mid \text{ time })$ concatenated in this way.
- This is quite bad in the case the server gets compromised (change every single secret)
- Another downside is that it needs to be reinstalled on different phones if it is changed.
- Physical authentication with USB sticks. These are keys that contain the password or some other codes used to authenticate.