Authentication is a fundamental human activity and has even older origins in biological systems back to the first immune system. Perhaps it’s because humans have such deep experience with it that we seem doomed to continually underestimate its significance. When it is a protocol or system designer who makes this mistake, a vulnerability is the likely result. Over and over again we find network protocols and secure systems that are subject to spoofing, MitM, or authentication forwarding attacks. Attacks against these weak authentication systems are maturing. The last year has seen practical attacks on network protocols, applications, major websites, and more. These attacks specifically leverage weaknesses in authentication architectures, and point to a need for a fundamental rethinking of authentication. Authentication is evolving. We start by discussing what “being authenticated” really means. We present a few representative samples of existing (broken) authentication schemes and give examples of real apps under attack. We discuss the inherent problems with fundamental concepts like “login sessions” and why we think they are becoming obsolete. We talk about other dubious authentication practices which remain in common use. We then talk about event-based authentication, its strengths and limitations, and why we think this is the direction the world is moving.
Steve is the Chief Technology Officer and co-founder of PhoneFactor, a provider of phone-based authentication services. Steve is a regular speaker and writer on issues surrounding authentication.
Marsh Ray is a Software Development Engineer at PhoneFactor, Inc., a maker of two-factor authentication software, where he is responsible for security software development.