- Strong two-factor authentication as the basis for trustworthy identities
- Username and password alone are no longer sufficient
- Secure identities essential for objects like cars and organizations in IoT
In the high-tech world we live in today, secure digital identities are essential. Users want to be reliably identified not just when they are doing online banking. More and more applications in the cloud or on the smartphone require users to be able identify themselves securely and unambiguously. But how can the situation we prevent someone from claiming to be someone else online? “A password is no longer enough to clearly identify the person behind the user name,“ Oliver Dehning, Leader of the Competence Group Security at eco - Association of the Internet Industry, warns.
Hundreds of millions of stolen passwords circulating online
“The current standard [authentication] procedure of user name and password should be supplemented or, if possible, replaced,” emphasized the German federal government in the Cyber Security Strategy for Germany 2016, adopted on 9 November 2016. This is because theft, manipulation and fake identities cannot be ruled out sufficiently when using authentication on the basis of username and password. Hundreds of millions of stolen passwords, including usernames and email addresses, are currently circulating online. These originate from hacks of large sites. The online services Dropbox, Yahoo and LinkedIn are not the only ones to have admitted to the theft of millions of passwords. “There is a great need for better digital processes to prove one’s digital identity,” Oliver Dehning stresses.
Great need for strong and user-friendly methods of authentication
„Strong authentication depends on the use of two different factors,” according to Jens Bender from the German Federal Office for Information Security (BSI). Authentication factors need to be cleverly combined to provide defense against a range of attack categories and to combine the strengths of different factors. Asymmetrical processes in which no central database is required should be given preference.
The Cyber Security Strategy for Germany 2016 finds that the federal government already provides a highly secure and data-economical possibility for identification in the Internet, using identity documents with an online identification function. The new German identity card (eID), for example, offers a secure possibility to identify oneself also for cloud infrastructures. This was demonstrated by Dr. Detlef Hühnlein from ecsec GmbH at the Internet Security Days 2016 in Bruehl, near Cologne. With SkIDentity, secure virtual identities can be created on the basis of the online function of the ID card, and these can also be transferred, for example, to a smartphone. Following this, this solution – which has the BSI ISO 27001 certification, as well as a certification from TÜV Informationstechnik GmbH in accordance with the Trusted Cloud Data Protection Profile – allows users to be authenticated for digital services for up to 14 days without the use of the physical ID card.
State and industry creating own solutions for different applications
In the Internet of Things (IoT) it is not only people that need unambiguous identities, but also objects. “When, for example, vehicles communicate with each other to warn each other about dangers or inform one another about traffic conditions, then the communication must be both trustworthy and extremely fast,” says Christian Welze,l from the Fraunhofer Institute FOKUS. Organizations and services also require digital identities that their users can trust.
“The state is taking on the role of determining the framework. It will define the legal and technical requirements and will ensure security through certificates.” At the same time, the state is in competition with industry, which has also created its own possibilities for authentication. Examples of this are the Facebook ID for people and seals of quality for online shops. Generally speaking, “Solutions for digital identities need to be thought through globally and must satisfy international standards and criteria,” Welzel emphasizes. This will be achieved with unified standards and framework conditions and harmonized criteria for comparing authentication processes.