Strong authentication using Hardware Security Modules
Authentication is a process that verifies the identity of a user or device.
It can be part of a broader identity and access management process that continuously authenticates
subjects in a system.
Is a subject really what it claims to be? This is what the authentication process confirms by means
of various authentication mechanisms.
Users e.g. may confirm their claimed identity via:
- “Something they know”, e.g. password, PIN or security questions
- “Something they have”, e.g. smart card, token or smartphone for receiving a one-time password
(OTP)
- “Something they are or do” (based on biometrics), e.g. fingerprint, face, iris or signature
- “What they do”, which is related to continuous identity verification based on user behavior in a
system and abnormal pattern
- Or a combination of the above.
Certification-based Authentication
Certificate-based authentication uses a digital certificate to authenticate users, but beyond that
also machines, devices and IoT endpoints (using “something they have”).
Advantages include ease of use – often happening automatically without the intervention of the user
– and mutual authentication of the user or device to the network or system and vice versa.
Due to the sheer number of connected users and devices, and the increase in cloud-based services,
secure identification and authentication are business-critical nowadays.
Simple passwords are not sufficient anymore to get access to a network, system, resource or
application. Regulations and industry-specific standards have come into place that require stronger
authentication mechanisms.
Major concepts around authentication defined
Identification
A user or a device ("a subject") claims an identity.
Authentication
Making sure the subject is, what it claims to be. This requires confirming the claimed identity, e.g. by presenting a password or a certificate, or using a smart card or fingerprint scan. Various distinct types of user authentication mechanisms exist, based on their knowledge, possession, biometrics or behavior.
Single-factor Authentication
With only one single authentication mechanism being used, this type of authentication can be vulnerable and offers little fraud protection.
Two-factor Authentication
A minimum of two authentication mechanisms from two different categories are used. Consequently, this approach is more secure and less likely for hackers to attack successfully.
Strong Authentication
This approach involves more than two authentication mechanisms of different types to prove the identity of a user or device.
Authorization
Once a user or device identity is confirmed, authorization mechanisms grant or deny access to specific data, files or applications
Whether you need to authenticate employees or their devices in your network, machines in your production environment, customers using a cloud-based application or payment transactions – in all these cases, the use of an HSM as hardware Root of Trust ensures maximum security.
Application Scenarios
Payment authentication & PSD2
The banking and financial services market has the most stringent security regulations and has a
long-standing history of using security mechanisms such as authentication.
Recent breaches and subsequent tightening of security measures are expected to bring biometric
authentication into the focus of attention for future-proof authentication.
As part of the second Payment Services Directive (PSD2, since January 13th, 2018), the EU will
introduce stricter requirements for authenticating online payments as from September 2019.
These are known as Strong Customer Authentication (SCA) and complement PSD2 as part of the European
Commission’s Delegated Regulation on Regulatory Technical Standards (RTS).
They will significantly impact how users are identified and authenticated, involving at least two of
three authentications methods (knowledge, possession and inherence).
Biometrics (inherence) such as fingerprints will be more widely used as a highly secure way to
identify individuals.
Important prerequisites are the secure storage of biometric data and use of a public key
infrastructure, which is ideally backed by an HSM for managing cryptographic keys.
With these new requirements, the EU aims at reducing online payment fraud and identity theft.
The Role eIDAS Plays
A standardized electronic identification system across the European Union facilitates strong and straight-forward authentication mechanisms. The related standards as defined in the eIDAS regulation (EU) N°910/2014 are fully taken into consideration for maximum security, e.g. with qualified certificates for website authentication or qualified certificates for payment providers’ electronic seals.
Digital Rights Management
Although similar to CA in terms of intent, i.e. limiting access to content for authorized/paying users, DRM usually protects a specific piece of content at rest or in transition. It allows users to access the content and defines the when, how, how long/often, on which device(s), etc.
Conditional Access
Identification and authentication mechanisms are a prerequisite to implement conditional access. A securely identified user or device is granted access to a network, system, data or other when meeting a specified set of criteria.
A best-in-class case
Microsoft offers user access based on geolocation or IP address (location-based conditional access) and ensures that only registered and approved devices get access (device-based conditional access). Conditional access schemes and policies are deeply integrated into Microsoft solutions that manage access to applications on promises or in the cloud with fine-grained controls and based on a multitude of conditions.
Media and Entertainment Industry
In the media and entertainment industry, conditional access (CA) and digital rights management (DRM) are two key concepts to ensure proper authentication and authorization. CA has been widely used for TV streaming, ensuring that only customers/users with the appropriate receiver and valid decryption key can “unscramble” a film or media stream. Hence they get access to that content if one or multiple conditions are met. Most keys are valid for a short / specific time frame only, so that stealing and decrypting this key is basically useless. The key will have already been replaced by a subsequent key.
Get in touch to learn more about the Utimaco HSM offering supporting user & device authentication
Please contact us at info@utimaco.com to discuss your requirements. We will jointly find a solution and partner(s) that can cater to your needs.