Undoubtedly, multifactor authentication solutions offer tremendous benefits to enterprises. The only problem is the complexity of the technology, and the variety of tools among various vendors. MIRACL recently launched its multifactor authentication as a service platform. It extends multifactor authentication at scale, as a white label solution, allowing distribution partners to offer it to customers as theirs.
MIRACL’s Brian Spector discusses an alternative approach to security on the internet, and why current foundations for internet trust are fundamentally unsafe.
MIRACL was started several years ago as an open source company, said Spector. Along the way, we got a reputation for developing high-performance cryptographic libraries for embedded and constrained device environments, including chips, mobile and hardware. Anyone with cryptographic operations in Silicon Valley, such as in chips, including Intel, Siemens, Google, Microsoft, ARM and more are all customers.
We started theorizing about four years ago that the current information technology infrastructure was not going to keep pace with today’s demands of a distributed internet. All of our security information structure is too outdated to keep pace with current threats.
We have essentially built a next-generation platform to eliminate the client server – the infrastructure that we use to create secure connections between people, apps and things, and authenticate people, apps and things, like passwords. We then combined it all in one harmonized platform which we called the MIRACL identity integrity as a service platform.
It can be used for multifactor and user authentication, and the nice thing about our platform is that we have enabled it to be easily white-labeled by folks we call our distribution partners. They can be telecommunication companies, systems integrators, and cloud companies in general.
Blockchain Security – Banks Find it Hard to Implement
The security on the blockchain has been around since 2008, and has never been broken. Cryptographically, the actual technology on the blockchain is very sound. The problem that banks are having with implementing the blockchain is that it is the exact opposite of how you would expect a customer to interoperate with a financial institution. In fact, it is the exact opposite by law, meaning that every transaction on the blockchain is public, yet, the identity integrity of people and institutions behind those private keys on the blockchain is not assured.
You kind of get the worst of all possible worlds when you are talking about a financial platform that the banks would use. Those are the things that the MIRACL identity integrity platform would fix – issues like transaction integrity, identity integrity, confidentiality and transparency.
Congress Recently Passed a Blockchain Support Bill
The biggest blockchain initiative currently is something called the Hyperledger Project, which is a consortium of big names like IBM, NTT, Microsoft, and more. We are also a part of the consortium, and the aim is to finalize some standardization around blockchain technology so that it can be interoperable, in the way that would enable us push technology to the forefront and make it adoptable by enterprises.
Blockchain and IoT
If you think about the blockchain, it is actually a distributed ledger – a public, open ledger database that nobody controls. Moving to an internet of things world, one of the big problems with bringing more than 25 billion devices onto the internet is that our current naming and registration systems can’t really cope with that amount of devices proliferating on the internet.
This is one area where the blockchain could really help – it being an open distributed ledger that is basically tolerant to any sort of attacks to overwrite the system. You can register all those internet of things devices coming on to the internet via the blockchain, rather than, say, our typical centralized way of doing it right now, which is on DNS and using name registrars. That’s not really going to be able to handle the load, which is why many IoT companies need to adopt and develop blockchian solutions to handle that specific problem.
There are a lot of other things it can be used for, which is part of what we are bringing to the forefront with our Apache Milagro project. A few months ago, we started an Apache foundation open source project called Milagro with (Nippon Telegraph and Telephone Corporation) NTT, and its purpose is to solve that specific conundrum with IoT devices, for registration, and secure communication between IoT devices. It achieves this by using the blockchain as a registration identification mechanism to bring these devices onto the internet.
Effects of Lack of Standards for IoT Devices
We have about twelve different communication protocols, about fifteen different open source groups – and all of them have merits. At the end of the day, it’s all about the concern sorrounding the specific level of plumbing that has to do with key management, the creation of an authentication and secure connections between those devices. The technology that’s available inside Apache Milagro can fit into every one of those competing IoT standardization efforts that are going on.
The one common thread that all of those internet of things standardization efforts have is that they don’t do security very well. By their own admission, many of them recognize that, and so that is the niche that we are filling – trying to ensure that regardless of the kind of technology, there will be a foundational method that is consistent accross all those platforms for devices to securely authenticate and communicate with each other. That is probably the 800-pound elephant in the room that nobody wants to talk about, but we have to solve it.
M-Pin: A Multi-Factor Zero Knowledge Authentication Protocol
It is a protocol that is available in our identity integrity platform as a service, and is also available in Apache Milagro. When it is used for authentication, M-Pin offers what cryptographers call a zero knowledge authentication protocol, which is just a fancy way of saying if I’ve got a cryptographic authentication key in my hand, I can prove to you that I have this authentication key, without actually showing you what it is. If I don’t need to show you what it is, you don’t need to store a copy of it in the database, like you do with password-based authentication.
That is the huge issue with practically all types of authentication on the internet today. Most of them – at least 99 percent – make you store some form of authentication credential, in one whole form, in one place. That is the equivalent of placing a sign over your head that says “attack me.” That’s why we are getting this explosion of username/password-based data breaches, such as Yahoo, Evernote, LinkedIn and so on.
M-Pin makes the requirement to store credentials a thing of the past. In one fell swoop, M-Pin can multifactor and authenticate a device or person, and also eliminate the need to store authentication credentials in the backend. That’s probably the biggest, single innovation that we’ve achieved as a company today.
We developed the Multi-Factor Zero Knowledge Authentication Protocol, put the patents on it and bequeathed those patents to the Apache open source project. The reason we did that is so that developers and enterprises will feel comfortable using that protocol, knowing that it’s patented, but that the Apache Foundation controls those patents. To all intents and purposes, they are now in the public domain.
Multi-Factor Zero Knowledge Authentication Protocol Could Have Mitigated OPM Breach
It is the reason that Experian chose us for its UK identity assurance project. With the OPM breach, there were two things going on. For one thing, it doesn’t look like they were a particularly well-run organization, and a part of that may have been because they were starved of resources. Implementing something like M-Pin, even from the open source Apache project, would have immediately eliminated 95 percent of the threat factor that they had, which the hackers used to exploit, once they penetrated the network.
The reason is this, if I penetrate your network, the first thing I’m going to go after is the username/password database. The reason I would do that is because then I can start moving around your network looking like a legitimate user. I don’t have to hack into a database administration system, because I know the admin’s password.
This is how most of these hacks can go on for a long time and go undetected because, even if you have event monitoring and logging turned on, it looks like a legitimate user. That is the issue that we stop – we employ multifactor authentication, coupled with the fact that the authentication service layer doesn’t store any authentication credentials.
Speaker: Brian Spector
Brian Spector is the CEO and co-founder of MIRACL with more than 20 years of experience in the information security industry. Brian began his career in cryptographic development at Silicon Valley’s first full disk encryption software company and has held leadership positions in development, product management and sales at Thales, RSA Data Security and McAfee.