It has been almost a couple of months since my last Real World Applications of Cryptocurrencies post, but its back with a bang. Following on from my previous post on Art & Collectibles & the Codex Protocol, which you can find here, I will be discussing how User Authentication will be disrupted with the emergence of the blockchain and cryptocurrencies.
OverviewCybercrimeis a major problem in today’s tech-driven world, and it’s only getting worse; it’s the fastest growing crime in the United States. The cyber security market is expanding rapidly , purely driven by the rise in cybercrime. According to a Cybersecurity Ventures report , the cyber security industry saw a growth of over 350% between 2004 and 2017. It grew from $3.5Bn to $120Bn in just over a decade with governments and institutions investing billions upon billions in cyber security.
The report also points out how cybercrime will cost the world $6Tn in 2021 , an increase of 200% from the $3Tn figure in 2015 . Digging a bit deeper into numbers, in a recent survey , the UK Government, reported that over 43% business have “experienced a cyber security breach or attack ” in the past year alone.
The ProblemAs mentioned in the previous section, governments and companies spend billions on cyber security. Cyber attacks can come in a multitude of forms but in this post I will focus on user authentication attacks . These include (definitions taken from techopedia andrapid7):
Brute-Force and Dictionary Attacks ―in which an attacker tries to log in to a user’s account by systematically checking and attempting all possible passwords and passphrases until the correct one isfound. Pharming ―redirects website traffic through hacking, whereby the hacker implements tools that redirect a search to a fakewebsite. Phishing ― is the fraudulent act of acquiring private and sensitive information, such as credit card numbers, personal identification and account usernames and passwords. Using a complex set of social engineering techniques and computer programming expertise, phishing websites lure email recipients and Web users into believing that a spoofed website is legitimate andgenuine. Malicious Browser Add-ons ― the act of intercepting sensitive information (i.e. passwords and cookies) by serving browseradd-ons. Man-in-the-Middle Attacks ( MITM ) ― allow attackers to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to “listen” to a conversation they should normally not be able to listento. Social Engineering Attacks ―the non-technical cracking of information security. It applies deception for the sole purpose of gathering information, fraud or systemaccess.Currently, usernames & passwords are the predominant way to authenticate users. Unfortunately, due to human nature, password-based authentication is extremely weak . Humans are not great at creating effective passwords and very often choose easy-to-obtain passwords. On occasion, when people do create effective passwords, these are often written on a piece of paper or an electronic document making them significantly less secure . Additionally, passwords are likely to be re-used for multiple logins or infrequently changed.
Just to give you an idea how serious this problem is, Verizon’s 2016 Data Breach Investigations Report found that 63% of confirmed data breaches involved weak, default or stolen passwords .
In order to solve this problem, multifactor authentication ( MFA ) has been introduced in many places. MFA is the process in which you need to confirm your identity using additional ‘factors’ (using an app on your phone, a code via SMS, etc.). Unfortunately, this secondary security measure, isn’t fool proof either , as there have been numerous cases of accounts being compromised even with MFA enabled.
An alternative to 2FA is certificate based authentication , in which users are securely authorized by exchanging a digital certificate instead of a username and password. This solves some of the issues with username & password authentication (like phishing, MITM) but not everything.
Certificate based authenticationis built using a centralized P ublic K ey I nfrastructure ( PKI ). The backbone of PKIs are digital certificates (that can only be issued by centralized authorities) which are used to cryptographically link ownership of a public key with the entity that owns it. This offers stronger security (but not fool proof) as a trusted part mutually authenticates the client and server through a secure channel. Unfortunately, these certificates are centrally managed and vulnerable to cyber attacks . You can find more information on digital certificates and PKIs, here .
To conclude this section, there are two major issues with user authentication today; the weakness of passwords and the centralized instances of PKI .
The ProposalREMME caught my attention when researching this particular problem.
REMMEis a so