21 Jun Authentication as a Gatekeeper
Your authentication solution is your gatekeeper. It will enable your customers to conduct business with you while keeping others out. There are a lot of different gatekeepers out there in the market. If your organisation has an online service for customers, it will need a gatekeeper. Not all gatekeepers are created equal, and not all gatekeepers are suited for your needs. Let’s go through the major categories of these gatekeepers. And I’m going all medieval on you. You can find the download link to the Authentication Guide at the end of the story.
Passwords and other weak authentication methods
Imagine a gatekeeper of an ancient village, a burly man with a club in his hand trying to keep out the unwanted. All villagers know a secret word that needs to be spoken to the gatekeeper to go through the gate. The problem is that the gatekeeper in question is not too bright (perhaps too many strong meads in the local tavern after work?). Unauthorised people can discover the secret by stealing the secret tablet of the gatekeeper, where the spoken secret is written. Or they can try to guess the secret, go away for 5 minutes, and come back again to try as the gatekeeper has a memory of a gold fish (again, might have something to do with the mead and end of the night brawls with other patrons). [This is a password]
Each village has its own gatekeeper, and travelling salesmen hate dealing with these brutes. In the land not too far away they allow the travelling salesmen to enter the village by using the family seal, where the name of the salesman is scripted. The problem is that there’s no way for the gatekeeper to know if the seal is forged or not. [This is a social media, or another type of non-vetted password identity]
One Time Passwords
Sometimes the villages need extra help. A wizard might be needed to ward off a pestilence or to ensure proper growth of the crops. The village elder will send a message pigeon to the magicians guild. The message includes a secret code that will be handed over to the wizard best suited for the task. It will be memorised and the message destroyed. When the appointed wizard reaches the gate, the village elder will be summoned to gate and they both write down the secret and show the code to the gatekeeper. If the codes match, the wizard will not be bludgeoned. Instead, he will be generously rewarded after performing his spells. [One time password]
Sometimes pigeons are intercepted by thieves or highwaymen. Modern studies have shown that these pigeons suffered from a defect in their SS7 gene, and lawless men were able to seduce a pigeon to land and steal the secret code. After stealing the code, the most scholarly of the bandit gang impersonated the wizard. In most cases the villagers gave the bounty to the bandit without receiving any kind of help for their distress. [SS7 vulnerability affecting SMS based one time passwords].
The lord of the lands, protector of the villages and his subjects, is a gentle and righteous ruler. He distributes his wealth amongst his people and they love him. He is also an inventor and sells his designs and inventions to other lords, thus generating income. This income means that his subjects won’t have to pay hefty taxes or levies. The designs are very valuable, and need to be properly protected. After some his vellums describing some of the devices he had invented were stolen, he decided to improve the protection of the vault where they were kept.
After lengthy discussions with his advisors and wizards, a plan was hatched. A new vault would be built for storing all the vellums with reinforced walls imbued with magic. No one in the known world would be able to penetrate the vault. The door of the vault would be a thick metal door held in place with intricate locks and magic. Next to the vault, a workshop would be built, where the lord would be able to continue his work and not worry about someone sneaking in and stealing his discoveries.
To access his workshop, the lord would first insert a key into the lock. The wizards would cast spells that would link the key to the locking mechanism energies. Only with a proper key would the gemstone matrix be activated. Anyone trying to access the workshop would have to know the correct combination of 8 gemstones to be activated in the correct order in a matrix of 10 times 10 gemstones. A further protection measure was to be put in place that would keep the gemstone surfaces pristine to avoid a situation where someone could potentially start guessing the right sequence just by looking which gemstones had been touched. [2-factor authentication. Something you have, something you know]
The vault access would have to be even more difficult. The key and the gemstone matrix would be replicated for the vault door, however using a different key and different sequence. In addition, a central gemstone would be infused with his blood. Only by placing his hand over the central gemstone would the door to the vault open. The spells casted by the wizards would make sure that a blood (of the lord) smeared hand of a thief would trigger the protection measures. [This is multi-factor authentication, something you have – the key, something you know – the sequence, something you are – the blood].
These protection measures worked well. It wasn’t too bad if someone was able to walk into a village after guessing a correct secret after a 12th time. These people were usually harmless. But if the lord would lose all his designs, the land would suffer as new taxes and levies would have to be put in place.
… coming back to the Internet age…
And how does this relate to your organisation? Download our (modern) guide for authentication for an extensive look at different methods and their suitability to different situations. Most organisations today can’t rely on a single authentication method. An Identity Provider will be your gatekeeper, and fortunately modern gatekeepers are quite clever. And they don’t have to go to the tavern every once in a while…