Strong Authentication for the Masses?

WiKID Systems Open Source Strong Authentication System – their commercial site can be found at wikidsystems.com

Let me break down some terms before I jump in here:

  • Identification vs. authorization – Identification is asserting your identity (“My name is Mike”). Authentication is proving your identity (“Here’s my driver’s license that says I’m Mike”).
  • Strong authentication – Authentication that is considered relatively secure and definitive. Generally equates to two-factor authentication.
  • Two-factor Authentication – You can prove your identity in one of three ways: something you know, something you have, and something you are. The first one, something you know, could be a password, passphrase, or the answer to a secret question. The second one, something you have, is a token, such as a smart card, key fob, dongle, passport, birth certificate – it’s a unique physical thing that only you possess. The last one, something you are, is a biometric – your fingerprint, retinal scan, voiceprint, et cetera. Two-factor authentication means using two of these three things to prove identity.

With that in mind, I can explain why WiKID caught my eye. Usernames and passwords, in almost any real-world setting, are fairly insecure. They can be guessed, sniffed, or brute forced. We often use easy to remember passwords (mydogskip) instead of more secure passwords (b!ouFroap*lus1le). We don’t change them often enough, and we use the same password for many systems. There are some good uses of passwords, and they aren’t all bad, but there is a need for stronger authentication.

I have a smart card for work. That card is how I log on in the morning, how I open a connection to the office from home, how I authenticate myself to many of our internal systems. I plug it in to a special card reader, enter in my PIN, and it sends off the digital certificate that validates I am who I say I am. This is two-factor authentication, combining something I have (the smart card) with something I know (the PIN).

This is great for the corporate environment, where there are people whose job is to maintain all the digital certificates (granting, expiring, revoking, etc.) and to handle the cases where somebody forgot their card at home, or lost it, or what not. It’s also worth it to a corporation to tie in their systems to this single source of authentication. This is a fairly expensive proposition, however, for the home user.

WiKID aims to solve this by providing a software-based token. Essentially, there are three components:

  1. WiKID server – This is the heart of the authentication. Basically, this is the part that maintains the list of registered users.
  2. Device client – This is the software-based token I mentioned. This is what you use to authenticate yourself.
  3. Network client – This is the agent that runs in the target system. This agent replaces the old authentication scheme, like usernames/passwords, that your web site formerly used.

Basically, it works like this (based on http://www.wikidsystems.com/technology/overview):
You need to authenticate yourself to your web site (for example). You open up the Device client on your computer and feed it your PIN code. The device client encrypts the PIN so only the WiKID server can read it and “phones home” to the WiKID server that manages your user directory and verifies your name and PIN. The WiKID server checks this, and issues you a one-time password (OTP), a magic code that is only valid for a short period of time. You feed that code to your web site, which asks the WiKID server if this is a valid OTP for you. The WiKID server answers yes, and presto, you’re authenticated.

This is more secure than a username and password for a few reasons:

I haven’t done a deep dive into this yet, but on the surface, it’s a pretty good thing. It would be possible to capture and spoof the encrypted PIN transmission to the WiKID server, but traditional hardware token-based authentication suffers from the same. There’s an initial set-up step with each Device client to give it the WiKID server keys and add the user to the directory, similar to going to the Department of Motor Vehicles to get your driver’s license. Overall, though, it appears to be nicely secure. Time permitting, I’ll look at adding it to my SSH server at home and for my WordPress installation.

The one problem I have with this solution is the software token, the Device client. In a traditional scenario, not only is my PIN secret but my token is unique – somebody has to have my token in order to impersonate me. With WiKID, I can authenticate using anybody’s device client that has my server’s key. Every device that has registered with my WiKID server could be used by me to authenticate – or by anybody else that happened to discover my PIN. It’s not wide open to the world, but it is an opening not shared with smart card-based two-factor authentication. The security of this system then essentially revolves around keeping the PIN secret and safe.

In short, I like it for home or perhaps small office use. It’s stronger than passwords and easier to manage than certificates (my current SSH solution). It’s reasonably secure and it’s open source. I’ll report back later on the ease of installation.