Finding Cyber Security Solutions in the Past for the Present
The need to secure the internet and the people using it is as old as the internet itself. Since the time humans started accessing a connective world wide web to hoist themselves virtually in a binary space, the threat to identity and authenticity has existed. However, in the immediate boom of technology that took 1990s by storm, people chose the usage and expansion of internet as the top priority and the first course of action. Cyber security took the back seat.
In recent history, the 2006 leaks by AOL can be viewed as humorous, dark, or dangerous. But one thing is for certain – it marked the awakening of the need for cyber security strategies. The human curiosity and inclination to crime was a real threat. Since then a number of security reforms have been put into place.
First, let’s talk about authentication – the gateway to internet security. Cyber security and access is based on the three principles of authentication.
The three of them are based on these three factors respectively – knowledge factor, ownership factor, and inherence factor. How are these factors adopted into the virtual space?
The knowledge factor is something that is known by the user, for example a password, or an answer to a security question, or a pattern, or Personal Identification Number (PIN) etc.
The ownership factor is something the user has, like a bank card, or a software token, or hardware token etc.
The inherence factor is translated into something the user is or does, example biometric identifications like fingerprints, retinal scan, voice recognition, signature etc.
As this knowledge began to be known, it was understood that a lot more research and development would have to go into keeping the internet a safe and breach-free space. ‘The Fapenning’ of 2016 is a crystal clear indication that it is hasn’t been deployed. This is because the basics of authentication are not understood. It’s a simple principle and has three factors.
Recently, Apple has introduced biometrics into its product. Even though this is a step forward, it is incredibly pertinent to realize that it is not a two-factor authentication. “Two-factor authentication is an additional layer of security designed to prevent unauthorized access to your account…” is how Apple introduced its new fingerprinting feature as. This so-called two-factor authentication provides biometric entry into the device and extends it nowhere further. The rest of the browsing throughout the session is as equally unsafe as any other browser-based access. In this scenario the risk of breach, that is prominent, was written off as ‘Risk Acceptance’ by the user and marketed off the public as the cost of maintaining public access. This is not normal! This is a solvable problem.
Second priority is to realize that no matter how complicated the route of obtaining data in order to authenticate and allow access is still just data. When Apple uses password and biometrics and calls it “two-factor” it is vital to realize that it is still a one-factor authentication process, as it is only using data. The fact to really note here is that a two-factor authentication must require two, unique completely different factors. Data, no matter the process of acquiring it, is still just one factor.
On the other hand, there are claims to have deployed the two-factor solution in the form of tokens. These are entry level tokens requiring something the user has. They suffer from the same short coming as Apple, mentioned earlier. This approach is multi-step but a one-factor solution only as the token is used as an extra credential as it is used at the entry of the portal and not at the entry of the browser or anywhere else thereafter. A classified data is used in form of something the user has on top of the data that is something the user knows. These are added layers of data verification, but are also just one unique factor only, not two!
So when established corporations deal a bad hand and try to blind fold the users into believing in stringent security that doesn’t exist, an illusion is perpetuated by those who were supposed to safeguard us in the first place. Companies like Apple could’ve invested in a solution that was actually two-factor, instead they made a clear choice to keep that on the shelf and take the easy way out. This is not only a step backwards for the company, but also for the industry in which Apple is a pioneer and could’ve paved way for the real two-factor authentication solutions.
Specifically, the Physical-Presence-on-the-Internet (PPI) solution of providing real, tangible, and unique two factors of authentication. In PPI a physical token must be present in order to start a safe browsing session and be constantly present throughout the session. If the physical token is removed, the session terminates and all the data is disintegrated. The token is present throughout the session, and is always presented at time of interaction. We have known for a long time that this was the only way of assuring complete safety of the portal, however, usage has been a priority over security in our recent history.
Another way of ensuring two-factor authentication of the user is by using the Social Contact Theory. “According to social presence theory, communication is effective if the communication medium has the appropriate social presence required for the level of interpersonal involvement required for a task. On a continuum of social presence, the face-to-face medium is considered to have the most social presence, and written, text-based communication the least.” Software built on the concept are able to identify the online social behaviors and patterns of the user and detect any discrepancies in the secure session. This is based on the second factor of inherence, something that the user is or does. Social presence has come to be viewed as the way individuals represents themselves in their online environment. Examples – keyboarding and accuracy skills, use of emoticons and paralanguages, characteristics of real-time discussions, etc.
So knowing what we know now, it’s easy to see that the cyber security crisis that we face today is a result of choices made by the government and the big corporations and pioneers of the industry. The next logical step into the future is go back to the past, go back to the basics, and make the difficult choices.