Passwords are the last century, in the future new methods of authorization and storage of personal data are required

After reading the article “Why did the majority of Russians become victims of cyber fraud?” , I decided to share my views on the issue of information security. The following article states, I quote:

As the study shows, Russians become “easy prey” for cyber frauds because of their carelessness or banal laziness. Every fifth research participant has never changed the password from his main mailbox. In social networks, the password is changed even less often: 38% do it no more than once a year, and 18% do not change it at all. But frequent password changes are one of the easiest and most effective measures to protect against cyber fraud. Worse, 25% of respondents use their email password on other resources: in social networks, online stores and other services. Therefore, if the password and account information fall into the hands of intruders, they can take possession of not only your confidential information, but also your money.
Of course, the complexity of the password itself is also important. Most users create very simple passwords: from letters and numbers only.

In theory, of course, everything looks simple, but such articles do not consider and do not reflect the essence of the problems. Currently, the problem of protecting information from unauthorized access is becoming increasingly serious. But at the same time, in many Internet resources, the applied security element still remains one of the most well-known and oldest security methods - the password. Unfortunately, the views of many security specialists are developing inertially, without taking into account modern trends in the development of information technologies and the problems of users. What in my opinion is not entirely correct. And those who are aware of this (for example, Google and major social networks) are gradually promoting their solutions for us.

In this article, I want to consider everything in order and provide for discussion of Habra users their vision of software and hardware methods for solving problems related to information security on the Internet.
')
Password problems
Consider the main issues of the use of passwords by a regular user:
1) Why do users use the same or similar passwords on many sites?
Because the user can have a lot of these sites, and it is difficult to keep in memory the password of each resource, if these passwords are different and, moreover, complex. Often, if you do not use any Internet resource for a long time, then the password of this resource in memory is successfully forgotten. As usual, the authorization attempt on websites turns into the process of brute force, and the number of brute force passwords can be limited or greatly complicated by hard-to-read captcha. At the same time, you leave all your passwords on these sites, which can be easily stored using simple algorithms by site owners. It is very inconvenient when the authorization process turns into torture and may end in empty attempts. Therefore, more people try to remember and use one complex password on many resources.

2) Why users do not often change passwords? For the same reason. Frequent change of your passwords geometrically increases the number of passwords needed to remember, which is guaranteed to increase the number of unsuccessful authorization attempts on sites. After all, we must also remember which password was the last and which was the previous one. In addition, most users can not keep in memory all the sites on which they have ever been registered for all the time using the Internet. So on the Internet a lot of long forgotten and abandoned accounts.

Where and how to store passwords?
All these difficulties give rise to an equally important problem: where and how to store the list of passwords, if we do not remember this whole zoo of passwords?

If in electronic form, now there are too many different desktop and mobile devices with which you have to work from a different place (at home, at work, at a party), which means you will need to keep the list of passwords either on all devices used or on the Internet (for example, cloud or mailbox). But this option greatly reduces security - by gaining access to one of these devices or by gaining access to the storage of your passwords on the Internet, an attacker gains access to all your accounts, and possibly also your bank accounts. Storing passwords in a browser is also highly secure. In most browsers, you can easily view saved passwords in the settings, or by changing the value of the type = "password" field in the built-in debugger. So the prospects for storing passwords in electronic form are not encouraging.

If you carry a list of passwords with you, then it is not safe either - passwords can be easily stolen by pickpockets at a party, at work, in public places, on the street (maybe even with the use of brute force) or while you are sleeping.

In general, I have not yet found a definitive answer to the question of where and how to store passwords.

How did things develop?
If you follow the development of information security requirements, you can easily notice the following trend:
1) At the very beginning, simple and convenient passwords such as sex or god were used to protect against unauthorized access.
2) Then people realized that these passwords are very simple and easy to guess. Therefore, a new requirement for passwords has appeared: the minimum password length must be at least 6 characters.
3) Most of the resources have also entered a mandatory confirmation email address.
4) There was a protection against bots in the form of a captcha, requiring to enter the characters from the image after an unsuccessful authorization attempt. Captcha also became an obligatory attribute when registering on the majority of resources on the Internet.
5) Further, the requirements for passwords have become a bit more complicated: the minimum password length must be at least 6 characters, and the password must contain both letters and numbers.
6) Over time, bots learned to bypass simple captcha, which led to the use of complex captchas on the Internet using different deformations of symbols, crossed out / crossed lines / curves, with the arrangement of symbols from different angles, at different heights, different indents and using different effects brightness / contrast and other things. This greatly aggravated the perception of users to this protection, since it became very difficult for users to recognize the displayed characters.
7) Meanwhile, some resources have begun to introduce an additional level of protection using SMS confirmation of the phone number.
8) Next, the most common minimum password length is increased to 8 characters.
9) Now we see that many resources require the use of complex passwords: the minimum password length must be at least 8 characters, and the password must contain both uppercase and lowercase letters, including numbers and other characters. It is not recommended that the password includes any personal data. Those. for security reasons, they are now demanding that we come up with the most difficult passwords to memorize.

What's next?
The question becomes reasonable: what will happen next? We will have to memorize extra complex passwords of 16-24 characters and try to decode extra complex captcha, where, figuratively speaking, will the devil break his leg? In my opinion, many should understand that this direction should be viewed as a dead end path for the development of information security. We need radically different solutions that combine both maximum security and maximum convenience for users.

In my opinion, all these difficulties can be solved only in one way - by issuing to every citizen a digital passport of a single sample to confirm their identity on all Internet resources. And to check the digital passport, Internet resources should send their requests to the unified citizen authorization centers. To a certain extent, such a decision may put an end to anonymity on the Internet, but it will allow to successfully solve all the above security problems when using passwords. In this case, it will be possible to solve not only security problems, but also social problems. For example, to close access to "adult sites" for users who have not yet reached the age of majority, to solve copyright problems when copying and distributing information on the Internet, the problem of liability of Internet resources and their users in cases of unfair relationships, the problem of personal data theft, fraud cash transactions, etc.

Unified authorization centers and digital passports of citizens
If you notice, I intentionally replace the word "users" with the word "citizens." Thus, hinting that the control and issuance of digital passports should be dealt with at the state level. There are a number of reasons for this. First of all, no one will trust any one organization to authenticate users on the entire Internet. Who will receive this level of privilege will have almost complete control over the entire Internet, including the financial sector. This will not allow any country in the world. Secondly, only at the legislative level and the relevant regulatory authorities can control the implementation of the obligations of various Internet resources and users. And as many guess, the laws of some states do not apply to the territories of other states. And to mean single user authorization centers should be created in each country so that the laws of these countries regulate the issuance of digital passports and control the behavior of their citizens on the Internet. But at the same time, a single country authorization center should also ensure controlled and transparent authorization of citizens of other countries, checking digital passports of foreign citizens in the authorization center of these countries.

Some may argue that this requires 100% security protection for such authorization centers. And since there is no 100% protection for a single lock, it is better to use the existing password protection as millions of locks on each site. It should be noted that it will ensure the reliability of a single authentication center much more efficiently and reliably than the existing option, when each Internet resource must independently decide the security issue of its users' accounts. And no one really knows the degree of reliability of these resources, because for sites there are no mandatory requirements for ensuring the security of user data. At the same time, most resources today may well be out of responsibility when transferring their user data to third parties or even publicly disclosing them, because the set of rules for most sites is not a document that is legally binding.

In general, the usual passports are always trying to fake the same, so that the fight against fraudsters will always continue. This is a bit like a fight between viruses and antivirus. No antivirus guarantees 100% protection against new viruses, but the emergence of new viruses is promptly analyzed and protection against such threats is created. Also, unified authorization centers should monitor data falsification attempts around the clock and promptly correct all identified security threats. For example, if we trust online banking operations on the Savings Bank website, then we can completely entrust our personal data and a single authorization center, regulated at the state level.

Those who are straining the issue of eliminating anonymity on the Internet can use the classic authorization scheme on websites using passwords. After all, the use of digital passports will be an alternative that does not necessarily require the destruction of the usual registration and authorization scheme. Who cares more about anonymity can use the classic authorization scheme, and who cares more about convenience and security can use authorization using digital passports.

Only one requirement should be mandatory for Internet resources within the country - they must implement support for authorization of citizens using digital passports. In this case, the transfer of a digital passport should not pass through Internet resources, but should be directly verified between the user and the single authorization center. Internet resources should receive only the final decision of a single authorization center - authorize the user on the site or deny it to him.

What should be digital passports
From a security point of view, the use of USB tokens protected by a pin with a 3-try code and (optionally) an integrated fingerprint scanner can provide the best protection today. In the process of authorization, you can use the transfer to a single authorization center a digital copy of a biometric fingerprint signed by a personal digital signature (cryptographic transformation with a private key). At the same time, it is not possible to pull out a digital copy of the biometric fingerprint and the keys used from the USB token in any way, and only the person who has the second public key pair can decrypt the transmitted data. To protect against interception, at each authorization, the transmitted data must be unique, for example, at each authorization, along with a copy of the biometric fingerprint, also encrypt the random string and the value of the successful authorization counter. It is even better if personal sets of public and private keys are created and saved for each day during the whole period of key use (for example, within 10-20 years) and the token during authorization checks the date with its servers and signs the data with the necessary key for the current date . At the same time, the public keys should also be reliably protected and located only on the authorization server (for example, in the internal server of the single authorization center, which verifies the accuracy of the received data, but does not have direct access to the Internet).

On the technical side, all this is realizable. And it will be better to create a small micro-USB token, resembling a stub (suitable for any smartphones and tablets) inserted through its adapter to a regular USB port. In the same USB adapter can be implemented fingerprint scanner. And removing the USB adapter can automatically activate an additional level of verification, such as SMS authorization or fingerprint scanning using the sensors of a mobile device.

A fingerprint scanner with a pair of pin codes should provide protection against theft and loss of a digital passport. The received fingerprint from the scanner should be checked on the USB-token itself with a saved copy of the digital biometric fingerprint. This will eliminate the possibility of using a stolen or morning digital document, turning the theft of digital passports into a useless exercise.

No one doubts the more effective reliability of 128-1024 bit crypto keys, compared to the current 8-10 bit passwords. Especially, if at each authorization the initial data for encryption changes, and every day the digital signatures will automatically change. This is a dream of any system administrator. Speaking of system administration, this authorization method can eventually be successfully incorporated into the authorization process of operating systems and actively used to protect information technologies in a corporate environment, completely removing the headache in this matter from system administrators.

In more detail, the authorization scheme on the Internet using EDS I suggested in the next topic “Authorization scheme using electronic digital signatures instead of password protection” .