Believe it or not, one of the oldest technologies we still use is the password.
We’ve seen that omnipresent password box in almost every digital service for the last six decades. Yes, six; passwords were invented in 1961 at MIT for the CTSS (Compatible Time-Sharing System).
Interestingly, more than 80% of all data breaches in the digital world are associated with passwords, and still, the most popular password used for the last five years is, “123456”, which can be cracked instantly.
Passwords have been an integral part of the identity ecosystem. This, and especially the digital identity ecosystem, needs three specific frameworks (let’s call them the three A’s): Authentication, Authorisation and Attributes.
Authentication is the most critical one, as this establishes the ‘Digital Me’, establishing, or rather, providing enough confidence to establish, “Who am I in the digital world?”.
Authentication has come a long way, even if there is still a lot of reliance on passwords as the authentication mechanism. From knowledge-based authentication (e.g., passwords) to possession-based (e.g., OTPs) and then to inherence-based (e.g., biometrics).
If we look back at the journey that authentication technologies have taken over the past six decades, we can identify that the key characteristics have not changed. From passwords to OTPs and extending to biometrics:
The user has been kept active in the authentication process, even if there’s the realisation that the user is the weakest link in the chain.
Authentication as a barrier to service access: the user wants the service, but they have to go through the authentication barrier – there is a mismatch between what the user wants and what the user has to go through. The authentication is not invisible.
Authentication happens at the start of a service session and it’s assumed that all the contexts will remain the same throughout the session and beyond. Authentication is generally not continuous in most scenarios.
Most importantly, the authentication process is not humanised; the authentication process is designed for and used by machines, but is expected to be used by humans.
There are realisations of the elements around authentication within the industry, and there have been attempts to address these over the last few years where the passwordless world revolution has seen an acceleration. Two key themes have emerged in the evolution of authentication technology in this passwordless revolution:
- Risk-based authentication
- Cryptographic authentication
Risk-based authentication has been used primarily for authentication augmentation to add additional confidence to the primary authentication process and is primarily used in financial ecosystems including banking, fintechs, micro-lending domainsand within BNPL services.
Cryptographic authentication is the talk of the town now, with Passkeys being the poster boy for the passwordless world revolution.
The announcement by Apple at WWDC 2022 to the recent announcement from Amazon, the passwordless revolution – and Passkeys in particular are taking centre stage. The catalyst for the passwordless world is most likely to be the re-realisation that the user needs to be removed from the active participation of the authentication dance, the user being the weakest link. It is important to note that whereas user experience is critical for service delivery, the invisibility of the user experience is crucial for identity establishment.
When Tony Robbins said, “Identity is this incredible invisible force that controls your whole life. It’s invisible like gravity is invisible, but it controls your whole life.”, he was talking about Organic Identity: he was talking about humanised identity. In a similar vein, when Steve Jobs said, “Technology should either be beautiful or should be invisible”, he was likely referring to the humanisation of technology.
Mainstream media and social media have been buzzing with news about Passkeys and the passwordless revolution. From Apple and Google to Amazon, everyone has a story to tell.
Here’s how passkeys work:
1. A key pair (private/public keys) is created on the device.
2. An ID proofing is performed (through some methods), and the keys are then associated with the device (device binding) and associated with an account provided by the OEM (e.g., Apple ID). This is the weakest link, as that account e.g., Apple ID is protected using a password and OTP.
3. The private key is stored in the device, the public key is sent to the authentication service (server).
1. When authentication is needed, the authentication service sends a random challenge text to the device.
2. The device prompts the user to do an on-device authentication – in most cases, that’s biometrics
3. The device cryptographically signs the random challenge text with the private key stored in the device.
4. The signature is sent to the authentication service.
5. The authentication service validates the signature using the public key.
6. Authentication is completed.
Now, let’s go back to 1991, when the SIM was invented, and used by all GSM-based mobile devices. How does SIM-based Authentication work?
1. No setup is needed.
2. The key is already in the SIM.
3. No device binding is needed.
4. No need for any additional account [like Apple ID] which then has the weakness of being protected with passwords and OTPs.
1. The authentication is needed, the authentication service sends a random challenge text to the SIM.
2. The SIM cryptographically signs the random challenge text with the key stored in the SIM as a secure hardware with a microprocessor, specifically created for cryptographic operation and yes – for Identity too, remember: the “I” in the SIM stands for Identity.
3. The signature is sent to the authentication service.
4. The authentication service validates the signature using the key the MNO has in their Authentication Centre – a hardware security module.
5. Authentication completed.
Looks similar? It is much simpler, more secure and yes, it’s humanised and inclusive, as it includes every human with a mobile phone under the same security umbrella – from the most expensive smartphone to the simpler, inexpensive feature phone.
The SIM has the superpower to create a truly passwordless world, and it has been doing this for the last three decades and more.
I make no apologies for repeating that the “I” in the SIM stands for Identity, as it did in 1991 when the first SIM was used, and it still stands for Identity when using an eSIM.
The SIM is a hardware-based cryptographic engine, which 5 billion of us carry in our mobile phones. And, yes, it does not rely on any other form of identifiers or passwords in any part of the journey.
Sekura.id’s SAFr Auth utilises the superpower of the SIM to create a truly passwordless and inclusive world as we at Sekura.id believe in “Identity for All” – indeed, we’re committed to this resolution and our goal is to achieve it by 2030 making the world a SAFr place.
Gautam Hazari is Sekura’s Chief Technology Officer and a Mobile Identity guru. He and his team have built the Sekura API Framework (SAFr) – a unique platform that connects in real-time to mobile operators to allow enterprises to build trust in their customers, prevent fraud and create awesome logins.