Oct 19, 2016
Forever and ever, you'll stay in my palm
Dec 18, 2012
by Kumar Rahul Ghosh
Mobile authentication doesn't mean much if one were to look around for it. What it can mean in the way the name sounds is, anyone can authenticate themselves to anywhere using their phone. I don't even mean password managers, because these are files on mobile containing the passwords locked under one more password. Before proceeding with the benefits of Mobile Authentication, first there needs to be an answer why is it required.
The existence of the password, as short sequences of alphabets of a script, has been much older than the Internet. It has been around since the rise of a need of human beings to identify themselves to get special privileges. The correct sequence was required to get a pass or the services would be denied, so this seemed a good idea to -be used in the digital world to open and close its doors.
It was definitely a good idea at the start of the digital world but it has been five decades since then and it has started to face devastating problems in practice. The users have to remember 5-6 passwords on an average and each of these passwords has a different combination of alphabets, numbers and symbols. If someone else apart from the user is able to guess the password easily, one may have to face the risk of losing some important information. So there you are, with an almost random sequence of characters from a language that one knows, and yet the sequence may or may not mean anything and there is no way one can afford to forget these. This all comprises the first problem.
One may think that it can be noted down somewhere so that there is no need to memorize it but then there's the risk of someone discovering it. There is no way of knowing that someone has stolen or photographed the password. This summarizes the second problem.
The other way, with which one's password can be disclosed to malicious agents or entities, is through malpractices used by a lot of services or websites where one is required to use it. Exploiting one security loophole or open vulnerability in the software of the servers can expose the passwords of a million users to the third parties. This leads to the requirement of better standards to manage the security of the websites but there are no prescribed or established rules/standards on this. All affected users are asked to change their passwords but some may still lose access to their account, despite probably having taken care with passwords on their part. This is the third problem.
The fourth problem is that there's the wire connecting the computer to the server. One maybe using Wi-Fi, but somewhere there is a wire connecting one to the server along this line. If the connection is not HTTPS, all the communication travelling is unencrypted. This means, if one enters the login details in a login form served from a non-HTTPS connection, anyone tapping the connection can know the details. This is a form of Man-In-The-Middle attack which cannot be detected by either the destination server or the person using the device himself. Apart from the wire, there can be an innocent looking browser extension which can read all the key presses and record them.
There are quite a few more problems but the above mentioned are the significant ones. Clearly there is a need to get rid of the concept of the passwords which are used to prove one's digital identity. If there are no passwords, there will be no risk of getting it stolen. This leads to another problem of securing the digital identity of a huge population.
This is the first part of the two articles on the topic of Mobile Authentication.