One of the features of digital information is that it can be perfectly replicated forever. This has enabled the current strategy of authentication used for users and devices – the shared secret. This strategy is embodied in the common practice of user name and password login and device authentication through unique information – unique serial number, MAC address, Etc.

This practice has also brought with it an inherent vulnerability – anyone possessing the required information in the shared secret is viewed as trusted and can gain access to the system.

Imagine if you had to change your user name and password every time you logged in to every system you log into. No, don’t imagine that, it might drive you to a serious drinking problem. Because we inherently know that we can’t operate in a universe where our shared secrets change with every use and all the time, we have adopted a strategy of making the secrets more difficult to guess and we work to do a better job to making the secrets hard to discover. We do this with complex passwords that we change occassionally (resulting in a heavy use of yellow sticky notes) and we use stronger encryption.

However, attackers continue to obtain stolen credentials and successfully penetrate our most secure information environments with relative ease. The cost of these penetrations and the remediation is growing at about 20% a year and seeming to accellerate.

What if we could adopt a convenient to use practice that defeated the attacker with perfect, but stolen, login credentials? What if we could deploy a system of dynamic information that formed the basis of the shared secret, but did not challenge the memory capability of the user? What if we deployed a system in which the secure login information could be stolen or even shared, but would be useless in the hands of any but the legitimate user?

What if we could deploy a system in which the user could use any easy to remember, easy to guess user name but one that could not be successfully duplicated by an attacker?

What if we could deploy a system that always required the convenient consent of the legitimate user for every login? Even the thief with the right information, would still have to obtain that consent!

What if we could deploy a system that authenticated not only the user, but his or her device with very complex information that constantly changed and could only be used one time? So that stealing the information did not matter.

That system is the OnliU System. It changes the paradigm from static shared secrets to one based on dynamic information that cannot be defeated by theft.

Back to blog listing


© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.