Digital era on analog approaches. Isn’t it time to forget about logins and passwords?

Керівник центру IT-розробки «ID HUB»
Digital era on analog approaches. Isn’t it time to forget about logins and passwords?

Why online security – is not only antivirus and firewall? Who is responsible for password security? What does real electronic mobility look like? What is Mobile ID and shall we expect this technology to be implemented in Ukraine?

The digital world is developing much faster than any society or system, known to us since the beginning of time. Technologies that are getting more complicated gave rise to dozens of conveniences and created hundreds of threats. It is understood that humankind is no longer able to stop enjoying the electronic comfort. It seems that it will be necessary for us to “hurry after” the technologies created by ourselves. And so on – flywheel effect is observed not in mechanics only.

Password protection and protection of password

How and in what way the user is protected within his digital reality, in addition to technical means? Most of the tasks – about 98% – are completed using “login-password” pair. From the simplest user accounts to confidential business correspondence. From payments amounting to several UAH to contracts amounting to hundreds of millions.

When you come to think of it, it turns out that this scheme is not fundamentally different from “password-response” combination that is several thousand years old already. If such protection was sufficient, digital world would not be target of such great number of threats. Several millions of cyber attacks a day – and these are only those that are recorded. Cyber-hunting is performed to the maximum extent of the law of nature and society: it is the thing, which is of value for the ill-minded person, that is exposed to attack, and the poorly protected things as well.

The person, the user, is the weakest link in this chain.

Weirdly, but despite all the threats, virus attacks and huge financial losses, nearly every fifth internet user uses as a password never-to-be-forgotten qwerty, 1q2w3e, password or 1234. Needless to say that present-day password cracking software needs up to several seconds to find out what are these passwords?

Some day or other users learn from their own mistakes and think up strong password. But generally this password is one and only for all the resources.

The other extreme is observed in companies that have “enforced” password policy. It is changed frequently, contains letters, numbers and special characters – sometimes up to 20 characters. No one is able to bear in mind such a combination. For this purpose there are yellow stickers, on which you may write down your password and then paste it on the monitor. Unfortunately, this happens quite often.

As a consequence. Threat not always lies in the fact that piece of personal information may be disclosed or used against its owner. The primary danger is that power and transport networks, governmental agencies, ultra-hazardous facilities may be paralyzed at any moment, which in some degree has happened during Petya.A attack.

If not password, then what?

There are great many identification and authorization means developed for the user and, unfortunately, this only makes things more confused. Having such a variety, it makes good sense to puzzle everything out in more details.

Bank ID. State-recognized identification technology via banking institutions.

Banks have a lot of information about their customers: copies of passport, taxpayer’s code, address, telephone number, accounts – everything that helps to expressly identify a person. When user needs to make any personal transaction (for instance, to apply for the issuance of digital certificate), he shall not give documentary evidence that he – is he. Bank makes this instead of him. And in this very case bank acts like a “trusted center”.

In the ideal case scenario this is rather convenient, because most of us (if not everybody) at least once provided full information about themselves to the bank.

What is different about it is that information about the clients of the commercial bank is as valuable as money, and not a single bank will voluntarily transfer its own client base to its direct competitor. Attempts of the National Bank of Ukraine to make this technology wide-scale using the capacities of “Oshchadbank” scored no big success.

As a result we got semi-operating system, initially focused on interbank interaction, but banks themselves do not trust it. In other cases, the use of Bank ID by the user makes no sense.

OTP password – one-time password that shall be entered to confirm the transaction, as an addition to standard “login-password” pair.

Password is auto-generated and is sent to mobile phone in the form of text message. Scheme is quite common for users of popular online banking systems.

There is no doubt that this method is more reliable. Till the moment when you lose your phone that has enabled function “remember me” or “save the password”. And the cost of equipment required for the operation of this system, is not always worth it. Moreover, password is received in the form of usual SMS and it is not that hard to intercept it. Therefore since 2016 highly reputable National Institute of Standards and Technology of the USA advises to use this technology.

Smart-card – yet another method. It looks like plastic card with a chip, where chip itself acts like a “brain”.

Potentially smart card is rather cross functional, inasmuch as many various data (including the EDS key) may be put into it, and the storage itself is well-protected.

Minuses are as follows: you shall always have your card with you. The closest example – bank card with a chip. Special equipment (terminal) is needed to read off smart-card. It makes sense for the institutions and commercial organizations to purchase it, but in the private life of the user it is hardly convenient to purchase such a terminal.

In line with preceding and potentially as a more perfect version – ID-card. Analog of internal passport of the citizen of Ukraine containing biometric data (in our case – fingerprint), photo, full name, information about date and place of birth and issuance of the card.

As of today, ID-cards have no such a functionality like smart-cards do, but this is not a technical obstacle. A few days ago it was announced that EDS keys will be embedded into ID-cards. If fact, wherever the document and the user’s signature may be required, they may be remotely replaced by a card. For instance, in Estonia, residents of the country even cast a vote using the similar identifiers.

However, it is still unclear how and at whose expense infrastructure development issue will be solved, since in this case there is no way to do without the reading-off terminal.

What is more, obtaining of ID-card in exchange for current passport is performed of each person’s free will. It is hard to imagine that citizens of Ukraine will massively go massively to change their passports, even if ID-card functionality is extended.

There is another sensitive point related to electronic identification of the person. It is a matter of anonymity. In some cases, it is not only desirable, but also critical. Far from every resource requires legal “deanonimization” (for instance, e-mail), but all of them require protection.

Mobile ID

When it comes to electronic identification issues, to a large extent Ukraine is following quite a usual course – trial and error. Now we at least understand the advantages and disadvantages of the technologies available to us. And we reach the conclusion that most of the problems may be solved, if two conditions are met: widely spread reading-off devices and support infrastructure development.

The answer is on the surface: mobile phone plus existing cellular network and EDS infrastructure. These opportunities are combined in Mobile ID technology and in its improved form– Mobile Signature.

To start with, this technology is in successful operation in many European countries, as well as in a number of other countries, who are behind Ukraine in terms of technological level. It is built on the principle of “mobile phone is enough”, what’s interesting, regardless of its brand, model and age.

To describe this technology in simple phrase, we may say that phone has smart-card described above (SIM-card that is common to us, takes on its role), and the phone itself is the reading-off device.

EDS key is recorded in SIM-card’s protected storage area, and from a technical point of view it is impossible to take it out. Software in SIM-card along with complex cryptography algorithm operate in the mode hidden from the user.

The only thing needed from the user – to confirm transaction using the code known only to him (analog of PIN-code determined by the user himself). The code is transmitted through protected channel and it is impossible to intercept it.

Foreign experience studies, testing and analysis of hypothetical situations have shown that this combination of defense factors is more than enough for decades to come.

First of all, almost everyone has “terminals”. Even those who have never been on the internet in their lives have phone.

Secondly, phone is always with you. Person may not be back for forgotten wallet, passport and even a driver’s license. But person can’t afford to be without the communications tool.

Thirdly, human factor is almost completely excluded. No one knows the complete set of data for the identification. Therefore – there is no sense in trying to find out at least some part of it. Ill-minded persons will have to invent new fraud methods, and this is inevitably, unfortunately. But these methods will not be at least so primitive and so impressively effective.

The only thing Mobile ID can not protect from – transfer of the phone to the wrong hands and personal code disclosure. If the user makes this of his own free will, there is no and there will never be protection from this.

Any prospects?

The first, already common for us and sort of logical question risen by Mobile ID technology: why to invent something new, if we already have EDS?

The answer will be so: Mobile ID does not compete with traditional EDS and does not cancel it. The point at issue is about better flexibility, mobility, protection and much larger functionality of such a solution.

In 7 cases out of a 10 traditional EDS is used for its intended purpose – to apply signature on the document, which happens several million times a month. Mobile ID is primarily designed for the authorization. And this procedure is performed several dozens of millions times a day!

In speaking of flexibility, it is important to realize that, if requested by the user, it affords him not only anonymous authorization opportunity, but also personalized entry into the resource and even legal validity ensuring of any actions with the use of qualified signature.

In the context of mobility, any skeptic shall answer the question himself what to do with EDS certificate on USB-media, if the phone is within reach, but there is no time?

By the end of 2017 Mobile ID shall be properly functioning in Ukraine, relying on the public announcements of the highest-level state leaders. Needless to say that it will be preceded by whole range of tests, certification stages, tenders and that sort of thing. This complexity of the procedure is caused by peculiarities of encryption algorithms, EU regulatory requirements, etc. After all, we refer to personal data protection, and it is inexcusably for us to make mistakes in selection of practical implementation of technology.

But even now, it is clear that demand for Mobile ID, both by business and private users is unexpectedly high. It is hoped, that such combination of interests and, if supported by the government, will ensure the successful launch of this technology that is breakthrough for Ukraine for all intents and purposes.