The Password Problem (don't use "1234" as your PIN!)
In Nature, Authentication is a product of evolution and survival.
Every organism must identify the sources of energy to sustain life, and avoid the infinite dangers that can end it. Authentication matters...the wrong poisonous thing eaten or shadow ignored can result in an instant end.
In our modern lives authentication can best be described by the phrase "Password Incorrect".
We are in a forest and can't see it for the trees. People have come to live with the pains of remembering multiple and changing password (and most will be shared among many accounts).
PINs for Payment Cards are supposed to be something you can remember, yet bank legal terms absurdly issue a vague warning that you would be liable for using something that can be guessed. In fact the distribution of the 10,000 combinations for a 4 digit PIN is not random. Beyond the obvious uses of simple combinations such as 1234 5555 etc, date-related combinations such as MMDD (birth date of a loved one, anniversary date, etc) are often used and drastically reduce the possible combinations. This point is very graphically (and effectively) illustrated in the bottom left corner of the heat map below. Sourced from a great blog post on PIN security that I found in researching this post: http://www.datagenetics.com/blog/september32012/.
(heat map distribution, each pixel in the image represents first 2 digits (X/horizontal-axis) and last (Y/vertical-axis) 2 digits of a 4 digit PIN. The more 'white hot' a pixel is, the more the frequency for that PIN was observed.
source: www.datagenetics.com)
50% of PINs can be categorised into a list of 400 numbers (10% have 1234!).
The banks and payment processors are only supposed to store PIN Offsets - which are matched/validated - so they technically aren't supposed to know and subjectively assess the security of your PIN choice. It would be interesting to know how they determine if your PIN was secure enough (more likely, they just assume you were negligent if it was used fraudulently). Unless 100% of ATM activity is EMV/Chip verified by a bank (EMV / Chip security will be addressed in future posts), depleting a victim's account could be as simple as purchasing breached magnetic stripe data, and testing the most common PINs (assuming the PIN wasn't also compromised/or was since changed).
Banks will not worry about such risk unless the abuse is widespread, and customers begin lose confidence. It will likely be some time and customer pain before changes occur to the conventional wisdom that fraudulent PIN usage somehow must be the customer's fault.
Solutions to Authentication Challenges
The standard security paradigm theory is that there are 3 Factors of Authentication: 1) A shared secret, something known only between the parties, 2) A token, something physically in possession, and 3) Biometric, something biologically unique to an individual (aside from direct organic traits, physical action and unique behavior by the individual such as signature, gait, or even voice can be grouped in this category). The more factors, the more secure. This is also consistent with a 'layered' approach to security.
Unfortunately, token authentication and biometrics, are often used as marketing labels and gimmicks. A token is only secure if it cannot be easily counterfeited, a biometric signature is secure only if can't be replayed by someone else (essentially also a form of counterfeit). What's more, a biometric cannot be changed as it is unique to the individual for life (however I suppose some of the behavior relates biometrics, such as signature and gait can be altered with training).
The fundamental issue with today's authentication needs is that digital information representing the credential is actually not physically verified. Any authentication of a token or biometric information is only proof of a cryptographically correct digital output (a.k.a a valid cryptogram). Another point of verification needs to exist to ensure the 'valid' data is actually being sent by the 'true' customer.
(source: Pixabay)
Steeming hot passwords
Steemit passwords - are they a shared secret? They are complex enough to be a cryptogram (albeit a static one) which is basically just a password. The challenge with such complex passwords is usability.
I'm sure we have some options to simplify our passwords (I've yet to explore that), but I'm not convinced the entire blockchain revolution will engage consumers until we solve the complexity of current security. Passwords must be dynamic to be secure, and even Payment Cards are moving to dynamical security codes used in Card Not Present transactions.
There's a Blockchain at the end of the Rainbow
In future posts, I would like to begin discussion and thought on potential solutions for blockchain authentication. We know we have 3 factors of authentication - if we add context and metadata perhaps there is another factor there (but I'm not sure we want our various blockchains to look at us like bank fraud departments deciding the fraud score of each transaction) - it would defeat the whole purpose of decentralization.
Will we witness a natural evolution back to what authentication has organically evolved into over billions of years (physical confirmation)? Will quantum cryptography be a solution? This could potentially bridge the gap of physical state in a digital information world.
It's all interesting, exciting and yet to be validated.
moral of the story...don't make your #steemit password into a 4 digit PIN!
Congratulations @cryptoknow.com! You have received a personal award!
Click on the badge to view your Board of Honor.
Do not miss the last post from @steemitboard:
Congratulations @cryptoknow.com! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!