THE DEMISE OF THE SHARED SECRET PARADIGM


The shared secrets paradigm has been around for centuries and is the underlying paradigm for many of our information security systems today.

The simplest form of a shared secret is a password. Other examples include private keys, long strings of characters and random numbers. Shared secrets are used in most types of user authentication, from the simple and familiar user name and password combination to complex multifactor authentication (MFA) schemes.
For Google Authenticator's two-factor authentication (2FA) system, for example, a shared secret is established between the server and client to authorize the generation of one-time passwords (OTP) through either the time-based OTP or hash-based message authentication code (HMAC) OTP algorithm. Typically, the shared secret is initially presented to the user as a QR code on a smartphone and then saved locally.

Bimodal IAM is a type of authentication that uses two forms of credentials to access enterprise information. It uses internal and external credentials, where the internal credential is a stable form of identity like a password or biometric scan set up within the organization, and the external credential is more dynamic and uses outside accounts that the user already has, like social media or email, to verify identity.

Bimodal IAM takes pre-existing enterprise identity architectures and adds the layer of the external credential. The pre-existing external credential relieves the enterprise of the responsibility of managing more identity data. Typically bimodal IAM will only allow users access to less valuable enterprise data.

The shared secret paradigm is dependent upon a less obvious component than just the secrets themselves. It requires a shared context in which the two people sharing secrets have some relationship with each other that the sharing of the secret is confirming. The shares secret says to those using it that we know each other and I’m the person you think I am.

In the anonymous digital environment in which we operate today that shared context is frequently weak or nonexistent. Without the context the mere possession of the secret enables a stranger or attacker to gain the same status as the person who originally shared the secret. A secret only remains a secret if it is not shared. The most common form of sharing secrets in the digital environment is the nonconsensual sharing of secrets through data breaches and identity theft.

Without an underlying confirmable context that is peculiar to a particular user the shared secret paradigm is as enabling to the attacker as it is to the legitimate user. Our most common security paradigm – the shared secret – has become a major security risk in today’s environment. Yet, no one seems to be addressing the risk – until OnliU was established!


Back to blog listing

 

© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.