Advanced Persistent Threats in Digital Identity

You may have heard this disturbing news report - Chinese hacker group caught bypassing 2FA - Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers.

 We were amazed by the capability of those cyber attack forces, which might possibly be backed up by huge budgets and irresistible means to bribe and threaten the insiders of target organizations.

 Well, we could make meaningful contributions in such areas as (1) preventing the compromise of an OTP token from affecting the overall security of 2F authentication, to (2) preventing the OTP token from getting compromised in the first place and (3) preventing the inside jobs.

 Below are the conclusions that we reached.

1. Our proposition of the simplest 2F authentication could help. 

 We could consider an extremely simple two factor authentication made of a remembered password (what we remember) and a memo/storage with a long password written/stored on (what we possess), which we can use right away at no cost.

 If properly hashed, the resulting high-entropy hashed value can stand fierce brute force attacks. Theft/copy of the memo/storage alone would not affect when the remembered password is unknown to the criminals.

 Furthermore, ‘Image-to-Password Converter cum Entropy Amplifier’ software could be considered for better balance of security and convenience at a higher level when Expanded Password System becomes readily available. The ‘Image-to-Password Converter cum Entropy Amplifier’ software can be offered as a plug-in module either for the server or the user’s device.

 These schemes are closely explained in the "Proposition on How to Build Sustainable Digital Identity Platform" selected as a finalist for ‘FDATA Global Open Finance Summit & Awards 2019’

2. Our proposition of 2-channel authentication could help. 

 With our 2-channel scheme, the onetime code can be recovered and sent to the server only by the legitimate user who retains the secret credential in their brain.

 Further details are provided in this slide “2-Channel Authentication with No Physical Tokens and No SMS” for the specifics.

 It is also referred to as a powerful phishing deterrent in “Targeted/Spear Phishing and Expanded Password System”

 By the way, this 2-channel scheme is not just a concept, but was actually implemented in the real world for corporate use. 

 3.      Our proposition of Authority-Distributed Authentication could help.

 With this scheme, an encryption key gets reproduced by any combination of 3 registered operators and gets eliminated after operation as outlined in this slide “On-the-fly Key Generation from Our Memory”.  It would be extremely hard to quietly bribe or threaten 3 people at a time

 Again, this scheme is not just a concept but the prototype software proved to work.

Conclusion

 We are confident that we could make significant contributions to mitigating these 3 problems of

 preventing the compromise of an OTP token from affecting the overall security of 2F authentication,

 preventing the OTP token from getting compromised in the first place

 and

 preventing the inside jobs.

< Related Articles >

 History, Current Status and Future Scenarios of Expanded Password System

 Removal of Passwords and Its Security Effect

 #identity #authentication #password #security #fintech #finance #banking #biometrics #ethic #privacy #democracy