Patent: 10,601,822 Multi factor Authentication Device
My first patent actually came to me between jobs, I had left a company called Level 3 where I worked in pre-sales security architect, where I made enough money to take a few months off in the vain hope of finding the perfect job, my forever job. Unfortunately I never did find my perfect job but I did go to one interview with a company called Riverbed, I believe it was for a network or security architect for the company. Being a well known and respected company I thought it could be "The job". I did not get the job but I did get the idea for my patent, maybe that is better or not, time will tell.
In my interview I was speaking to some VP, I think it was for IT or Operations, I do not really remember now but the question came up about using bio-metrics in place of username/password. I did not agree that bio-metrics alone was a good replacement, at the time I did not have a well formulated idea of why, which may of been why I did not get the job but it did get me thinking about the reason bio-metrics alone was not a good answer and I discovered it.
The core to this is to understand Factors of Authentication, why they are needed, why they are powerful together but may be weak apart. What I discovered is that each factor protects the other factors because each factor has it's own strengths and weaknesses. For instance"
What You Know: Typically Username and Password has the weakness of the human factor. That is, there will always be people that will practice bad password security; such as writing passwords down on post-its, using pet names, easy to guess passwords etc... Since this is the easiest factor to implement and supported on any modern system that supports authentication it is often the poster child for bad security.
An interesting aspect of "What You Know" is actually the most secure method, technically speaking. Why? As far as I know, no person, company or country has figured out how to read your mind. So the factor is not the problem, it is the people that use it that are the problem.
What You Have: This factor takes on many forms, from a static key on a hardware device to a pseudo-random token validated by a secure server in a secured network. There is always the argument that certificates are also a form of What You Have security when installed on a computer because you need the computer to gain access and the certificate is "unique" to that computer. My issue with that is that you can still copy the certificate off the computer, now it would not be unique and making it remotely attack-able makes it even worse as an attacker could simply copy the cert and private key to another computer without the user ever knowing it was stolen.
A strength about "What You Have" is: it is usually easy to use, does not rely on the user to determine strength of a device and is easily noticeable if stolen. The bad side is that it is inherently vulnerable to the algorithms it is built on, not all devices are equal leading to weaker implementations, finally with some implementations there is the ability to install on the computer the user is using which exposes another vector of attack instead of a device the user caries. These weaknesses can be exposed from a distance, whether it is Russia breaking into a US company or a US company breaking into Russia, distance is not a issue with exploiting some of these types of weaknesses.
Another inherent weakness is that the devices themselves do not typically require additional authentication. In the terms of a token on a phone, probably the best implementation of "What you have" short of the dedicated key fob, there is no required security to access the token, so there is a certain amount of human factor the leaks into the weakness if the owner of the phone does not protect the phone with some sort of authentication.
What You Are: This factor may seem like the ultimate factor, I mean how can someone duplicate you, right? Unfortunately with the options out there it is relatively easy to mimic someone. Think about his, if you have a phone that unlocks with your fingerprint, now you get a glass of water at a restaurant, you just gave away access to your phone. With the newer HD cameras, every time you do a selfie you could be exposing your retinal scan ID, not to mention your facial scan. The only real bio-metric options out there that I could think of that would have a high assurance of authentication would be a blood sample, takes me back to watching the movie Gattaca.
In light of these thoughts I was asking myself how I can make this more secure while at the same time make them as easy or easier to use then current factors, thus limiting the human fault factor. Tokens are vulnerable at a distance or if stolen, bio-metrics are vulnerable up close (assuming fingerprints) and passwords are vulnerable based on human fault, which is near and far. It then struck me, if I could combine What you have with What you are, the remote and up close protections of each would compliment the other in order to form a much more secure factor with the ease of 1 factor. Further this factor was not some long string of characters, numbers and symbols, it could be a simple token that infuses the bio-metrics so that any compromise on 1 factor would not compromise the second.
So now we run into another issue, once we decide what factor to go with what supports that factor?
Obviously Bio-metrics would be hard to push to a site as most do not support it, not to mention there is no standard for how or what bio-metric you would be using.
Tokens have recently started to take hold as MFA, Multi-Factor Authentication, options for sites, especially with free options like Google Authenticator.
Usernames and Passwords are still king when when it comes to authentication on everything.
Finally I was always conscious of making this as easy or easier from what the user is currently doing for Multi-factor authentication. It did occur to me that I could incorporate "What you know" into this, maybe with a PIN or some other option but that would have two issues. First RSA already does something very similar to that by pre/post pending a PIN with their token for 2 - factor authentication, even though my incorporation would digitally combine them versus adding the PIN to a string. Second, I wanted this to be as easy for a user as a token is today, adding a password or PIN to access it every time would not accomplish that. I could see the desire to create an all encompassing 3 factor device but that may have other issues with usability.
The solution, a device or program that uses a token for the factor "What you have" and then takes in a bio metric( fingerprint/iris scan/facial scan) then hash that mapping to normalize the data. Once this is done recursively combine the bio metric hash with token to produce a new token that comprises the bio-metrics and the original token. If someone steals your device, they will need your bio-metrics to create a valid token and if they steal your bio metrics they will need your token to generate the proper token.
This solves several problems:
It is just as easy to use as a token yet incorporates 2 factors.
Separation of Token algorithm and bio-metrics ensures that hacking the algorithm alone does not break the security.
Can be used anywhere a password is used.
Can incorporate more then 1 system for back end validation, for instance 1 provider for bio-metrics, another for token, then a third party to evaluate. So if one company is hacked the credentials are not compromised.
Can be used in conjunction with passwords to form 3 factor authentication for the ease of use price of 2 factor.
If either factor is compromised the security is not compromised.
Simple algorithm to combine the factors requires very little compute making it a minor addition to existing factors.
Can use any combination of factor providers, that is you could combine a Duo, RSA or Google Auth token with any other bio-metric manufacturer implementation. Even type of bio-metric does not matter, i.e. retinal, fingerprint, facial or even blood/DNA.
Likely Scenarios:
When I came up with this, Google Glass was still a cool gadget so this use case may be a little dated. Smart Eye ware that reads retina could combine with token program to create code instantly and display on the glass to be typed in.
Old school token key fob with a fingerprint sensor to read, hash and combine token. Could be used for tiered authorization as well, so without the finger print it displays a standard token, when you go to a higher security area you add your finger print to produce the more secure token. This would be a good scenario where you access a lot of sites that may not be as secure, so you do not want to expose the multiple factor token.
Phone runs a program that incorporates bio-metrics with token to create MFT (Multi-Factor-Token).