Root Causes 11: Authentication Is Not for the Authenticated
With so much debate about the role and importance of authentication in digital systems, it is important to remember the purpose of authenticated identity in our cyber interactions. Join us for a discussion of who benefits from known identity, what can go wrong when identity is obscured, and why ecosystems must include incentives for members to participate in identity authentication.
- Original Broadcast Date: April 9, 2019
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
I'm excited because we’re talking about a topic that’s dear to my heart, which is that the concept that authentication is not for the authenticated.
-
Jason Soroko
That’s a great way of putting it.
-
Tim Callan
I’ve been talking about this a long time with a lot of people. In the world of public certificates and public trust, one of the things that I notice that comes up over and over again is that IT decision makers and people who operate websites and digital systems at companies are used to thinking about the direct benefit to their businesses of the solutions they purchase. And certificates are a little unusual in that regard in that authentication, as I said, is not actually for the authenticated.
-
Jason Soroko
Yeah. Yeah.
-
Tim Callan
And what I mean by that is, you know who you are, right Jay?
-
Jason Soroko
I think so most of the time.
-
Tim Callan
Yes, and I know who I am. And oftentimes when you talk to people at companies their attitude is, “Well, we know who we are. We know we’re our company. I don’t need anybody to tell me that I'm this company.” And that’s true, you don’t, but how often do you or I deal with other people in the world who don’t necessarily know us by sight, and how do those people trust that we are the individuals that we claim to be?
-
Jason Soroko
I don’t think Alice always has met Bob beforehand.
-
Tim Callan
Right. If you and I happen to be in the same place, I look up and I say, “Oh, there’s Jay.” It’s easy. But if I don’t know you there needs to be some mechanism to know who you are, and this is where in the offline world, we wind up using things like passports.
-
Jason Soroko
If you and I wanted to do business together, right, we want to have a transaction, back in the old day it was, “Meet me at this house and knock three times, and I’ll know it’s you.” We have a term for that in our world which is a shared secret. But that necessarily means that there had to be a pre-existing relationship.
-
Tim Callan
Sure.
-
Jason Soroko
Now in a digital world we’re seeing so many use cases where that just doesn’t exist.
-
Tim Callan
Even if we stay in the old world but not quite that old, it used to be when I was young if you wanted to pay with a check at a store, back when people used to do that, you would show them your driver’s license. That was the same thing. It’s like I don’t know that you are, Bob, but if you show me your driver’s license and it matches what’s on your checkbook, now I have authentication in place. In the offline world we do this a lot. My great example, again, is the passport. Jay, do you have a passport?
-
Jason Soroko
I do.
-
Tim Callan
Does your passport have your name on it?
-
Jason Soroko
It does.
-
Tim Callan
Does it have your picture on it?
-
Jason Soroko
It does.
-
Tim Callan
Is that because you don’t know who you are?
-
Jason Soroko
No, I know exactly who I am, and in fact sometimes when I look at that picture, I can’t believe that’s me.
-
Tim Callan
So why do you have a passport?
-
Jason Soroko
I have a passport in order to assert who I am to other people.
-
Tim Callan
Correct. And if you did not have a passport what are some of the things that would be problematic?
-
Jason Soroko
I probably couldn’t cross an international border. A number of other issues that I'm sure would come up.
-
Tim Callan
Right. I use my passport routinely. I have a passport card and it’s the thing I use every time I get on an airplane, even if I'm flying domestic. When I’ve prepaid for my hotel because I got a good rate online, I have to show them my ID before they give me my key. When I go to pick up a package. There are all kinds of occasions where I need to prove who I am, and in my case it’s always my passport card because I just have it. And without that all those opportunities would be lost to me.
-
Jason Soroko
It’s globally trusted. Even though we’ve seen the Jason Bourne movies where he’s carrying a bunch of passports, generally people trust it when you hand one over.
-
Tim Callan
Good point. The Jason Bourne movies illustrate another principal that we might return to, which is that a perfect is not necessary for good to be worthwhile. In his case maybe someone can make a fake passport, but almost all the passports you see are going to be real, and the level of trust is high enough that you can go with that. So in the digital world what’s our equivalent of a passport? It’s a certificate.
-
Jason Soroko
Yes sir.
-
Tim Callan
In fact, that’s built right in to the word. Why do we call them certificates? Because they certify. And what do they certify? Every certificate without exception in one way or another certifies identity.
-
Jason Soroko
And it’s a certificate authority that is etc., etc.
-
Tim Callan
Is the one that’s trusted to certify. Now if you own your own world, if you have a walled garden, you can be the Certificate Authority. So if I have a bunch of devices that are going to live inside my firewall and I want to be the Certificate Authority, I sit at the top and I say, “I'm the CISO, and I'm going to say which devices are real and which devices are not because I'm the source of truth.” That’s perfectly great. But when we get out into the world, when we’re out in the DMZ, you can’t do that anymore. There needs to be an independent authority, and that’s what the public CAs wind up being.
-
Jason Soroko
That’s right.
-
Tim Callan
Now what’s all this about authentication not being for the authenticated? We go back to the idea of saying, “Ok if I'm out in the DMZ, if I'm using, let’s say, SSL certificates because I want to stand up websites and anybody anywhere in the world can come to my website and initiate a sensitive transaction. They can open account, pay with a credit card, access PII or PHI or things along those lines. How do I assert that I am really who I claim to be?” And that’s where those public Certificate Authorities come in.
-
Jason Soroko
Their stamp of approval, essentially. You get your stamp approval from theirs.
-
Tim Callan
They’re vouching for you.
-
Jason Soroko
Yeah.
-
Tim Callan
Then it comes to the question, what are they vouching for? And in the world of SSL there are actually tiers of authenticated identity that are available. At the lowest level you can get what you call Domain Validation, or DV. And what does Domain Validation tell us?
-
Jason Soroko
It basically means that you’ve proven to a Certificate Authority that you are in possession of the domain.
-
Tim Callan
Right. It says that I am really on ABCD.com. I am not on ABCDE.com. It doesn’t say anything, though, about who the heck it is.
-
Jason Soroko
Not at all.
-
Tim Callan
Who is running ABCD.com.
-
Jason Soroko
Nothing.
-
Tim Callan
Now, there’s a different kind of certificate that we call an Extended Validation certificate, and what’s the capsule summary of the difference between that and a Domain Validated certificate?
-
Jason Soroko
You have to go through a fairly lengthy process typically in order to prove the fact that you are a legal entity. Essentially the validation of the business that is in possession of that domain.
-
Tim Callan
Exactly correct. There are codified rules that are known to be highly effective that the public CAs must follow, and what they do at the end of that is they assert that this is a certain company. Not only do you control this domain, that still needs to be there, but that this is a specific company. This is the name and location of the company, and the person who got the certificate got it on behalf of that company.
-
Jason Soroko
That’s exactly right.
-
Tim Callan
And that means when I go to a website that has an Extended Validation certificate as a consumer, I now know that this actually is E*TRADE because there’s an Extended Validation certificate, let’s say, sitting on the E*TRADE site. And therefore, I know that it’s not somebody who’s pretending to be E*TRADE who is trying to steal my login credentials so they can go into my account and somehow steal my personal wealth.
-
Jason Soroko
If I get an email that claims to be PayPal. Click on the link. My browser opens up. My browser does not show green and all of a sudden, I am on PayPal.AndresBackyard.com. I pretty much know I'm not at PayPal.
-
Tim Callan
So right. So that becomes the benefit for the end consumer, right? It’s this strange situation that’s very unusual in the world of IT purchasing where the purchaser is purchasing for the benefit of an outside party.
-
Jason Soroko
Yes.
-
Tim Callan
I am obtaining certificates and the choices I make make a difference to how secure the person who comes to my website is.
-
Jason Soroko
It’s a very important concept. Especially if I think about myself as a financial institution, I'm doing very serious business with people on the internet. I want people to know when they knock on my door, they’re knocking on my door and not somebody else.
-
Tim Callan
You’re perfectly segueing into a good point which is, ok so why would I do this? If this certificate is to my benefit then I know why I would get it. But if this superior certificate is to someone else’s benefit in a world of pure capitalism and purely pragmatic, self-serving behavior, why would I get this at all?
-
Jason Soroko
Well if my customers were routinely being drawn off to fraudsters, my customers are going to be upset.
-
Tim Callan
Absolutely. First and foremost, it’s just plain brand reputation. You do not want your brand name associated with bad things. Someone going to a website and getting their stuff stolen is a bad thing, and you don’t want your brand associated with it. Very closely related to that is the idea that you want to project that you are doing the right thing for your customer and so showing your customer “Look, I'm here and it’s really me” is a way to communicate that.
That’s a good thing as well, but there’s also a concrete benefit which is research has indicated that when people see these company names that are usually in green sitting there in the browser, what we shorthand we call the green address bar, that they’re actually more likely to engage with the website. They’re more likely to complete a transaction or open a new account or use an online account they already have. They’re more likely to stay on the site, less likely to bounce. All those benefits are directly going back to the business who stands up the site.
If you think about it, it makes sense. If people can trust that they’re not being defrauded and they’re not being duped, then people will be more likely to engage in what they consider to be sensitive interactions than if they can’t trust that.
-
Jason Soroko
And it’s not just about pure fraud. It’s about credential harvesting. You know I'm not going to enter anything into a form about my personal information or definitely not my username and password for something unless I have a really good idea of what site I'm on.
-
Tim Callan
Absolutely. All kinds of data get mined. Social media data get mined and used in spearfishing and other kinds of social engineering attacks, and even things like your address can be gathered and then that can be matched up with other information, and so the level of sensitivity people have to engage in anything that seems even remotely online is high. So the connection there is valid, because now we can come back and see the benefit. Even though I know what business I am there are direct benefits, bottom-line benefits to my business if I ensure that other people know what business I am as well.
-
Jason Soroko
If I'm on a site where I'm just casually browsing and something catches my eye on the site, the chance of me impulse buying could be a heck of a lot higher if I see that green bar.
-
Tim Callan
When running your average day as an IT decision maker, people aren’t necessarily connecting the dots on that, but it’s very important for them to remember that this is an unusual technology purchasing decision and the decisions they make are going to affect their companies in ways beyond just what’s in front of them on their screen right now.
-
Jason Soroko
If you really want to think about it as a business, if you really want to extend the olive branch to a prospective customer, showing them the respect of proving who you are digitally on the modern internet is one way of doing it.