An Argument for CID in Authentication Processes
Security vs Privacy
Security vs Privacy — it is a topic on all of our minds, and with the recent news from Facebook, large scale data compromises, and the passing of GDPR regulations coming from the EU, it’s become more worrisome than ever. However for most people, the problem isn’t about their personal information being used…it’s about who it’s being shared with.
Personal data can be collected in ways that you may not even be aware of. Did you know that any website can track your cookies, or even use the movements of your mouse in order to gather information about who you are?
For most people, it’s not about who is using their information, but who its being shared with.Click To TweetDo You Know Who’s Gathering Data About You?
When you are first visiting a web site, you don’t expect it to share the data they’ve collected just from you being there. Perhaps they even go a step further; with methods like Captcha or third party authentication like Google or Facebook logins, you end up sharing your data with a lot more people than you initially intended.
Of course there are those who you’ve intentionally allowed access to; parties with whom you’ve already established a relationship, who you trust to handle your personal information in a careful manner (for example, your banking institution). One important relationship is with your email or internet service provider. After all, some data is required in order for them to know that it is in fact you accessing your account or email and not some hacker from a foreign country.
Traditionally, access is determined by your email address and password. In the early days of the internet, that was sufficient — but a lot has changed since then. Today, hackers have access to all sorts of tools, including “bot-nets”, with millions of bots that can be used to brute force (guess) those passwords, or sniffers that can watch unencrypted traffic in order to steal the information needed to impersonate you. The scary thing is, they often don’t even need these tools since most people use the same email address and password for multiple sites and partners. But who has time to remember dozens of different passwords, right?
Unfortunately, recent high profile hacking of large customer partners has resulted in hackers gaining access to millions of email addresses and passwords. Once they’ve collected that information, hackers are able to access any of the other services where you used that same information, including your email accounts. It doesn’t seem so convenient now, does it?
Would you use the same key for everything you own? Probably not! Likewise, it’s smart to use different and complex passwords for all of your accounts.Click To TweetOnce entry is gained, any personal information in that account is at their disposal, including contacts, financial data, and much more. Not surprisingly, hackers love reading your email; it helps them find vulnerable targets, create better forgeries, perform identity theft, or even plant viruses and back doors on your computer and devices. And that’s just the beginning.
Where do you access your email from normally? Probably your home or office computer, your smart phone, and maybe a tablet. Wouldn’t it be nice if you could just lock your account so that only your personal devices can access it?
Securing Data: It’s Harder Than it Looks
There have been plenty of attempts to solve the security issues around password authentication — a popular one is two factor authentication, such as sending you a code via text message before allowing access. There are various proprietary methods of authentication or third party authentication, however in general many of these methods introduce new problems and often end up sharing data with even more third parties. The biggest issue, however, is that these methods are often difficult for those who don’t consider themselves to be tech savvy.
While ISPs (Internet Service Providers) and Telcos (Telecommunications companies) are constantly thinking about accessibility, it’s often difficult to find the sweet spot between being secure and being simple. Programs that are difficult to use cause more support needs, which in turn cause increased costs and more lost customers. If securing an account takes too much effort on the part of the customer, that also leaves more opportunities for compromised accounts and all sorts of malicious activity.
Back to the Privacy Problem
Any method that requires your ISP (or bank, or any other service) to share data about you to a third party in order to securely identify you can potentially be a serious problem, both from a privacy perspective and from a security standpoint.
But you do have a trusted relationship with your ISP — you don’t mind them knowing that it’s you. After all, they already know your address, credit card numbers, and other personal information. You’ve agreed to provide this information because you get a necessary service in return.
We’re no strangers to sharing— we make that decision every day in order to get something valuable in return. But where do we draw the line?Click To TweetWhat is needed is a standard method to determine, is this actually me? The holy grail would be a surefire way to detect that it is you without providing any information at all; but what we can do in the mean time is to let your ISP identify you through the specific devices you use to access your account.
Many privacy advocates argue that in order to prevent the ability to share that information with others, nothing should be shared that could be used to identify you. While the intent may be genuine, if this argument is taken too far it can really cause new dilemmas. If you don’t present identifying information, how do they know its you? The real issue is when those ‘identification’ tools are used to share personal information about you.
Our Solution: CID Identifiers
There are many other ways that “big brother” (or of course the Google, Facebook, and advertisers of the world) can identify you with every visit to a web site you make. Many of them even leverage the idea of using their security methods, often enabling even more personal information about you (so who’s the real winner here?). A method is needed that all “trusted partnerships” can use WITHOUT having to share your personal information.
In order to protect you, your ISP needs a way to verify that it is in fact you using your email address and password, and not some bad guy. This is where CID (Client-ID) comes in.
What CID proposes is that a unique identifier (Client-ID) be sent, which can securely “talk” with any authentication attempt that uses your email address and password. We jokingly call this “two and a half factor” authentication.
How it Works
Traditionally, SMTP (Simple Mail Transfer Protocol) servers use an [AUTH] extension to identify a client, meaning it only has to ask for your username and password. However, there are obvious security limitations to this method. Basically, CID is a different extension that allows the SMTP client to give additional identity information to an SMTP server. Using this extension, the client can provide a brand new unique identity called a “client identity,” or CID. It can then offer unique characteristics about the client which can then be combined with existing security methods.
Using one of the supported methods, you can help identify yourself in a way that can stop typical attack methods used by hackers. Even if your login credentials are compromised, without the unique CID, that information is useless.
The great thing is that abuse of CID can be detected separately. As long as your ISP doesn’t share your CID with anyone else (which they should never do), you are reasonably protected, unless of course your unlocked device is stolen or hacked — but in that case you can simply declare that that Client-ID no longer represents you, and any further attempts will be immediately blocked.
Conclusion
This is of course a simplified explanation. Software designers have to consider shared devices, how to ensure that CID only gets sent across encrypted channels…the list goes on and on.
Cyber threats are a constant in today’s world and we need to stay a step ahead. There is always a better, more secure way to identify anyone presenting authentication credentials, and it’s our responsibility to find it and make it simple enough to be used in any trusted relationship, without the need to share identification. CID is designed so that any existing authentication model is able to tie in the idea of what represents you, without having to share your information with the world.
We encourage all designers of email servers or clients (or any services that use email address and password to identify their customers) to adopt CID as a strategy, so that the ordinary end user can lock the use of their authentication credentials to the devices that represent them.
It’s not bulletproof, but it beats sharing your personal data with every service you encounter, right?
Technical Resources:
https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/?include_text=1