You’re on a management training day and the leader sets you what appears to be a simple problem: -
Password security is broken as passwords are ‘static’ and easy prey for hackers to capture, crack and re-use, sell on the Dark Web etc. The better alternative is clearly one-time passcodes (OTPs) which change every time. But sending them by text also appears to be broken, due to SIM fraud/swapping. How can you convey OTPs to users in a better, more secure way?
Once we all realised passwords offered scant protection online, technologists began to look for alternatives. In the 70s there were key-fob ‘tokens’, little plastic devices able to give users new six-digit codes every 60 seconds. At one time creator RSA had some 40 million in circulation. But there was a flaw – details about each one (its ‘key’) was kept on a global database - and RSA’s was hacked in 2011, causing major damage to the technology’s reputation (Lockheed Martin blamed being hacked into on RSA’s data breach).
Using mobile phones instead of key-fobs achieved varying degrees of success. Some had bits of software running on them, allowing OTPs to be displayed on-screen, while other versions like Duo simply ask the phone user “is this you logging in?”.
There are also phone-based products like Google Authenticator, but as an engineer at Google admitted in 2017, only about 10% of Google apps were then enjoying this kind of protection, suggesting it wasn’t that popular. Clearly phone-based two factor (more accurately in some cases ‘two-step’) had not found universal appeal with end-users. There were solid reasons for this. For instance many staff simply do not want to use their personal mobiles for work-related tasks.
However, there is another version using mobiles which has gained huge acceptance with end users, making it a clear front runner for banks now wanting to roll out Strong Customer Authentication (SCA) at the behest of the European Banking Directive PSD2.
‘SMS OTP’ involves a bank or other organisation sending a code to a user via their mobile, and he/she sends it back over the web, neatly completing an ‘out of band’ (OOB) authentication sequence. Its creators argued that only the end-user could possibly receive and send back the OTP.
But they reckoned without the ingenuity of hackers, who discovered they could easily take over victims’ mobile accounts by simply asking mobile operators for replacement SIM cards (claiming they were the account holder and had lost or damaged their phone). This allowed them to divert bank security codes to themselves!
Experts warned of this threat up to eight years ago, but it wasn’t until America’s National Institute of Standards and Technology (NIST) ‘downgraded’ the security of SMS OTP in 2015 that the world really began to take notice.
One high-profile victim was the chef blogger Jack Monroe who lost £5000 from her bank account last Autumn, when hackers hi-jacked her mobile account. Europol broke up two rackets in March which had netted millions of Euros from 100 victims. Fernando Ruiz, acting Head of Europol's European Cybercrime Centre said: "SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours.”
Wind on to the present day. Could something as simple as a little grid of numbered squares – looking not unlike a game of Sudoku – offer an answer? A solution called Shayype transmits OTPs direct to users’ web-screens, in a process its inventors claim is direct-to-browser (DTB). Might DTB OTP, which employs a grid of numbered squares which changes every time, be the answer to the SMS OTP problem?
Its creators, Jon Beal and Jonathan Craymer, based in rural Cambridgeshire, certainly hope so. Furthermore, the back end (or ‘guts’) of their system may well prove to be almost impossible to hack, as it contains no stored information an attacker could re-use.
The pair are critical of existing authentication technologies claiming all of them suffer from two major flaws. Each of them requires users to give something away (e.g. a mobile number or fingerprint) and all such items can be stolen, as can physical devices.
Shayype could be used they say almost everywhere human beings need to prove who they are, from logging into websites or networks to online transactions and ATMs, to door-locks and home deliveries (perhaps improving on the indecipherable squiggles we’re all asked to create on hand-held devices?). It might therefore have additional applications in technologies like blockchain and IoT.
“Shayype is very much an ‘ingredient’ able to add to or improve new and existing systems,”
says Mr Craymer.
“Thanks to the sophistication of its back end we’re provided doesn’t accidentally give away their secret.
“And if the worst does happen and a user secret is compromised, at least it can quickly be re-set, which can’t be said of things like fingerprints. Quantum computing poses no threat, as no matter how fast a computer may at trying to reverse engineer fixed passwords, once a Shayype OTP has been used it cannot be used again and the secret itself is never exposed, so the quantum machine is powerless. The same applies to any other kind of brute force, which a system like this can easily be set up to resist. We’ve also put a lot of research into countering threats like shoulder-surfing, screen-recording/scraping and bots.”
Shayype is brand new and those behind it are already in talks with potential customers. Testing has shown the system is easy for individuals to use, and there is to be an initial pilot on an arts site with 500 users – Cambridge Open