Stolen Authenticators

By Kyle Neuman, Director of Trust Framework Development, DirectTrust
X: @DirectTrustorg
LinkedIn: Kyle Neuman
This is Part 3 of a 5-part series.

In a continuation of our Identity Credential Risk series, we focus on stolen authenticators. We previously outlined the difference between Identity Credentials and Unique Identifiers and risks of Identity Fraud, Impersonation, and Misissuance. While the previous post looked closely at identity proofing and identified some of the associated risks, this post examines the next stage of a digital identity credential’s lifecycle, which involves authenticators.

What Is An Authenticator?

An authenticator can take many forms, but most commonly it comes in three types:

  1. Something you know (like a password)
  2. Something you have (like a cell phone) or
  3. Something you are (like a fingerprint)

All authenticators are a means to prove to a computer system an individual possesses something they are expected to have. As you might imagine, not all authenticators are created equal. Some are better than others in certain scenarios.

Why Do We Need Authenticators?

You might ask yourself, what is the point of an authenticator? If I already know who the person is after they’ve been identity-proofed (we reference this in Blog 2), why do I need one? One way to answer that question is: you don’t need authenticators. In fact, one could factually state that an authenticator is a luxury in terms of digital identity (except for preserving anonymity). I can already hear the identity experts gasping at that sentence so allow me to drop the other shoe. While authenticators are a luxury in most scenarios, they still are important. Life without strong authenticators would be a real pain. Consider the following analogy to illustrate the importance of authenticators:

Let’s revisit our previously introduced analogy of a nationwide banquet with over 320 million Americans. You’re at the reception desk handing out badges with the goal of giving the right badge to the right person.

Attack #2: Risks of Stolen Authenticators

Extending our analogy, imagine in this banquet of epic proportions guests get three meals throughout the day. However, they need to return to the registration desk to obtain a new ticket for each meal. (I know, there are better ways to do this, but the analogy to online interactions work better this way.)

There are many methods you can use to hand out meal tickets. Without using authentication, you would need to identity-proof each person again and again and again and AGAIN. In our example, that’s four ID proofing events (badge, plus each meal ticket). Remember from the last blog post that ID proofing is widely regarded as the highest friction step in obtaining an identity credential.

Identity proofing a patient every time they want to access their information online is a nonstarter. Let’s consider a more convenient world where authenticators exist.

To increase efficiency at our banquet, imagine you 1) hand out unique QR codes to everyone when they get their badge and 2) that users promise to keep the code secret. This way, when they approach you to get a meal ticket, you can simply scan the QR code and print out a ticket. The system keeps track of who has already received a meal. This way, the same person can’t get more than one ticket per meal.

More importantly, a unique QR code eliminates the need to verify their identity. This is possible because you issued each person a QR code that they promised to keep secret. You know their identity has already been verified if they are able to present a valid code. Therefore, there is no need to ID proof them again. This analogy is an example of “credential binding.” You “bound” them to their secret QR code.

There is a very important aspect to credential binding: you must make sure you give the secret QR code to the same person that you identity proofed. This is important because you’re going to rely on the QR code in lieu of identity proofing later. You can’t have someone else getting their hands on another person’s unique code.

Mitigating the Risks of Authenticator Theft

In the digital world, this secret QR code is called an authenticator, and the potential impacts of authenticator theft are obvious. If someone simply stole another person’s secret QR code, they could impersonate them and steal their meal.

In fact, stolen authenticators are the most common way attackers compromise a system. The methods attackers use to steal authenticators vary widely and are highly dependent on the type of authenticator used. NIST SP 800-63B goes into detail about the different types of authenticators. The document classifies these authenticators into three increasing authenticator assurance levels (AALs). NIST SP 800-63B is a very technical document, but it’s available when you’re ready for a deep dive into authenticators.

How are Authenticators and ID Proofing Related?

Think of authentication as a super-fast identity proofing event performed by a computer system and the authenticator as a specialized piece of identity evidence. Technically speaking (to make the identity expert readers happy), authenticators are not generally considered identity evidence, but let’s imagine they are. We learned above that NIST SP 800-63B defined three levels of authenticator assurance.

We concluded in the previous post that a driver’s license and a utility bill are not equivalent pieces of evidence. A password and a FIDO token are not equivalent pieces of evidence, either. It makes little sense to ID proof someone to a high level of assurance, then bind them to a weak authenticator that you check later in lieu of ID proofing. This is why NIST states the following language in its SP 800-63B guidance:

“… authenticators at the same AAL as the desired IAL (identity assurance level) shall be bound to the account. For example, if the subscriber has successfully completed proofing at IAL2, then AAL2 or AAL3 authenticators are appropriate to bind to the IAL2 identity.”

World War II and Authenticators. Are They Related?

A specific event that occurred in World War II, the Merkers Mine Treasure, serves as an interesting tangent to drive home the point that identity proofing and authenticator assurance need to be at the same level.

In 1945, the Americans discovered a Nazi gold mine that was heavily fortified — or so they thought. The mine was protected by a 100-foot brick wall and a massive steel vault door. Every attempt to open the massive vault door was unsuccessful. Then an engineer stuck a half-stick of dynamite in the brick wall next to the door and gained access to the whole mine full of gold!

How does this relate to the relationship between identity proofing and authenticators? The massive steel vault door is like a high assurance identity proofing event, and the brick wall is analogous to a weak authenticator. If your goal is to protect an asset, the brick wall needs to be at least the same strength as the steel vault door. If not, your highly prized assets are vulnerable.

What About Multifactor Authenticators?

Multifactor authentication is one way to reduce the frequency of authenticator theft, using more than one “flavor” or type of secret to prove someone’s identity.

Let’s apply multifactor authentication to our analogy. When you give out your secret QR code to an individual at the banquet, you also give them a short random number to remember. When they come back for their meal ticket, they give you the QR code and the number they memorized. When used together, you can strongly identify the person in the system. What if someone who is both hungry and nefarious (a.k.a. hangry) at the banquet steals someone’s secret QR code? They would also need to know the memorized number to assume their identity and steal their meal. This example of a multi-factor authenticator uses something only one person has (a secret QR code) and something only one person knows (a secret number they memorized).

As you can see, all authenticators follow the same pattern. They prove possession of something that no one else has. Even a fingerprint is something you have. You can prove possession of your fingerprint to unlock your phone, open a door, etc.

DirectTrust’s Role in Helping Healthcare Choose Strong Authenticators

For many years, DirectTrust has accredited organizations that support strong authenticators. We’re also working on new criteria to address a wider variety of authenticators that may be used by patients and other people in healthcare. If you’re passionate about authentication or if you have ideas about how authenticators could be used better, we invite you to participate and help shape the way healthcare gets authenticated!

Stay tuned for the next blog in this identity credentials series about operational controls (Attack #3). We’ll discuss how operational controls can be compromised by an attacker to assume anyone’s identity.

This article was originally published on the DirectTrust blog and is republished here with permission.