Aaruni's Blog v 3.0

Authentication

Authentication is any process that verifies and validates the identity of a client. Any login process is a type of authentication. Traditionally, authentication is done via a username and a password.

Multi Factor Authentication

Multi factor authentication (MFA) uses multiple factors to establish identity, instead of a single one, as in the classical case. These factors can be

• Something you know (e.g., password)
• Something you have (e.g., a phone)
• Something you are (e.g., biometrics)
• Somewhere you are (e.g., GPS coordinates)

With a sane setup, for the vast majority of daily activities, 2 Factor Authentication (2FA) is sufficient.

Problem with SMS OTP

An SMS One Time Password (OTP) tries to establish the validity of “something you have”, namely, your phone, where you can receive an SMS. Unfortunately, SMS delivery is neither guaranteed nor secure. SMS is delivered on a “best effort” basis and may arrive after an OTP has expired or may not arrive at all. It is also easy for nefarious parties to eavesdrop on SMSs, violating the requirement it tries to fulfill (an SMS doesn’t prove access to your phone if its contents can be eavesdropped). The only thing an SMS OTP really checks, is whether your phone bills are paid! Depending on an external network to deliver your SMS also means you stop receiving your OTP if the network is ever disrupted, or forced to not send you an SMS (Your OTPs may stop coming after November 30, if Airtel, Vodafone-Idea and Reliance Jio do not meet this December 1 deadline).

Reserve Bank of India has recently drafted a framework to investigate a type of 2FA that does not rely on SMS ( Draft Framework on Alternative Authentication Mechanisms for Digital Payment Transactions - Reserve Bank of India | RBI issues two-factor check norms ).

Problem with Biometrics

A biometric quality tries to establish the validity of “something you are”, namely, your fingerprint, your facial, or retinal scan. While this sounds good at first glance, this factor is neither very secure nor robust against a breach. Biometric authentication can be defeated at the user level via the theft of a fingerprint, or a high resolution image of your face and iris. Biometric authentication can also be compromised en masse via a data breach on the server side. Security operations and cryptographic principles teach us that it is always a matter of when, and not if, a system is compromised. Any solutions must be built to deal with this fact. Unfortunately, when your biometrics are compromised, you cannot choose to get a new face, or a new fingerprint. As a result, biometric authentication must NEVER be used as a widespread implementation of 2FA. In addition, this method still requires the biometric scanner to avail network access, adding another potential edge case for failure.

NPCI has proposed adding biometric authentication to all UPI payments ( NPCI may be planning to replace OTPs, PINs for UPI transactions with these ). This is extremely ill-advised.

Proposed Solution: TOTP

We propose Time based One Time Password (TOTP) as a second factor in 2FA. It establishes the validity of “something you have”, namely, the TOTP generator. Much like the OTPs currently in widespread use, a TOTP is a 6-digit number. But unlike current OTPs, a TOTP automatically refreshes every 30 seconds, and can be independently generated offline on any number of devices. TOTPs have guaranteed security, given the pre-shared key is kept a secret ( For technical details, see A Primer to TOTPs ). In addition, the TOTP can then be generated in any app or device based on user preference. The TOTP generator does not require network access, and the pre-shared key can be refreshed any number of times in case of breaches.

TOTPs are the modern solution for 2FA in large and critical security contexts. TOTPs are the factor of choice for 2FA in GitHub, Yahoo, UK Government Services, Stripe payment processor, Zerodha trading platform, etc. TOTPs are easy to implement, easy to refresh in case of service breaches, and are mathematically guaranteed to be secure in operation.

Since changing the method for authentication requires that service providers offer TOTP as a method of 2FA, this post hopes to serve both as an executive summary for TOTPs, and also as an impulse to start a conversation towards this change.