Dansk English

Authentication for generations

Authentikering i generationer

Authentication in the digital world started in 1961 when passwords where invented at MIT. Since then authentication has gone through a number of generations.

Authentikering i digital sammenhæng startede i 1961 da passwords blev opfundet på MIT. Siden da har authentikering gennemgået et antal generationer.

Generation 0: The user enters username and password to the computer. The computer checks the password.

Generation 0: Brugeren indtaster brugernavn og password på computeren. Computeren tjekker passwordet.

Simple as that. When done properly the computer has salted hashes to check the password up against. This type of authentication predates networks. Back when the computer would be a mainframe or a stand-alone computer. In that scenario generation 0 is perfectly adequate.

Simpelt og enkelt. Når det gøres rigtigt har computeren saltede hashes som den tjekker passwordet op imod. Denne slags authentikation er ældre end netværk. Dengang var computeren en mainframe eller en stand-alone computer. I det scenarie er generation 0 helt tilstrækkelig.

Generation 1: The user enters username and password over the network to the remote system. The remote system checks the password.

Generation 1: Brugeren indtaster brugernavn og password over netværket til fjernsystemet. Fjernsystemet tjekker passwordet.

This is a continuation of generation 0 in a networked world. As it is woefully inadequate to just use generation 0 over the network, some remediating techniques were added, like challenge response and encrypted communication channels. When done right, generation 1 can be quite good, but it has a problem with scaling. A user using many systems, either needs to remember many passwords, which is not great, or to reuse passwords, which is really bad. Password managers were invented to alleviate this, but they are basically crutches with their own inherent problems.

Dette er en en fortsættelse af generation 0 med netværk tilføjet. Da det er frygtelig utilstrækkeligt hvis man bare kører generation 0 over netværket, rettede man det op med nogle hjælpe-teknikker, såsom challenge response og krypterede kommunikationskanaler. Når det gøres rigtigt, kan generation 1 være ret god, men den har et problem med skalering. En bruger som anvender mange systemer skal enten huske mange passwords, hvad der ikke er godt, eller skal genbruge passwords, hvad der er virkelig skidt. Password managers blev opfundet for at afhjælpe det, men de er lappeløsninger med deres egne indbyggede problemer.

Generation 2: The user enters username and password over the network to the IDP, that then gives the user an ID token. The user sends the ID token over the network to the remote system. The remote system checks the ID token.

Generation 2: Brugeren indtaster brugernavn og password over netværket til IDPen, som så giver brugeren en ID token. Brugeren sender denne ID token over netværket til fjernsystemet. Fjernsystemet tjekker ID token.

This type of authentication came about to address the shortcomings of generation 1. ID tokens are cryptographically strong proofs for the authentication. The user only has one password. So scaling is great. The issues with generation 2 is the dependence on the IDP. It quickly becomes a single point, which amplifies problems with attacks, performance, failures et cetera.

Denne slags authentikering blev til for adressere manglerne ved generation 1. ID tokens er kryptografisk stærke beviser for authentikeringen. Brugeren har kun ét password. Så skalering er rigtig god. Problemerne med generation 2 er afhængigheden af IDPen. Den bliver hurtigt et single-point, som forstærker problemer med angreb, performance, fejl og så videre.

Generation 3: The user enters the password to the end-user device, which unlocks its authenticator. The authenticator then authenticates over the network to the remote system. The remote system checks in the distributed ledger that the user is registered with the authenticator.

Generation 3: Brugeren indtaster password til sin device, som låser authenticatoren op. Authenticatoren authentikerer så over netværket til fjernsystemet. Fjernsystemet tjekker i den distribuerede ledger at brugeren er registreret med den authenticator.

This is a fresh take on authentication. It lies within the paradigm that is called Self-Sovereign Identity (SSI). Some parts of generation 3 are well established, some are more or less in the making. This generation promises a good user experience, a decentralized resilient infrastructure, and not least very high security.

Det er en ny måde at gribe det an på. Den ligger indenfor det paradigme der hedder Self-Sovereign Identity (SSI). Nogle dele af generation 3 er veletablerede, nogle er mere eller mindre ved at blive bygget. Denne generation giver lovning på en fin brugeroplevelse, en decentraliseret robust infrastruktur, og ikke mindst en meget høj sikkerhed.

generations generationer

It is quite exciting to see how generation 3 is taking shape these years. It will take something like ten years for it to be fully mature, but hardly more than three to be in widespread use. I see two major drivers for this development.

Det er ret spændende at følge tilblivelsen af generation 3 i disse år. Det vil tage noget i stil med ti år før den er helt moden, men næppe mere end tre år før den er i udbredt brug. Jeg ser to drivkrafter bag dette.

1: National and supranational push for SSI solutions.

1: Nationalt og overnationalt pres for SSI løsninger.

In the summer of 2021 The European Union started drafting eIDAS 2.0. Possibly triggered by the COVID-19 experience. It turned into a revison to eIDAS for transforming it into a full SSI solution.

I sommeren 2021 begyndte Den Europæiske Union forarbejdet til eIDAS 2.0. Muligvis på grund af oplevelserne med COVID-19. Det blev til en revision der skal transformere eIDAS til en fuld SSI løsning.

Milestones:
• approved in the European Parliament February 2024,
• first test service launched July 2024,
• technical requirements published November 2024.
Future targets:
• full implementation in EU member states September 2026,
• 80% of EU citizens and companies active users in 2030.

Milepæle:
• godkendt i Europa Parlamentet februar 2024,
• første test service lanceret juli 2024,
• tekniske krav publiceret november 2024.
Fremtidige mål:
• fuld implementation af EU medlemslandene september 2026,
• 80% af EU borgere og virksomheder aktive brugere i 2030.

As a surprise to most observers, China launched their solution in December 2023. It is called China RealDID. Reporting on it is sparse, but it appears to have been gaining momentum since the launch.

Som en overraskelse for de fleste, lancerede Kina deres løsning i december 2023. Den hedder China RealDID. Rapportering om den er tynd, men det virker til at brugen er vokset lige siden lanceringen.

2: We have reached a technological tipping point.

2: Vi har nået et teknologisk vendepunkt.

It seems that legacy banking and cryptocurrency by accident, each in their way has driven the development to a point where SSI is now feasible for real world solutions.

Det ser ud til at klassiske bank services og cryptocurrency ved et tilfælde, på hver sin måde har drevet udviklingen til et punkt hvor SSI løsninger nu er mulige i den virkelige verden.

Legacy banking through requirements for doing payments from your private device. That gave us platform authenticators in practically every device there is today.

Klassiske bank services gennem kravene til at kunne lave betalinger med sin private enhed. Det har givet os authenticators i praktisk taget alle enheder der findes idag.

Cryptocurrency in developing and maturing ledger technology, and also driving a lot of the advanced applied cryptography.

Cryptocurrency ved at udvikle og modne ledger teknologi, og iøvrigt ved at drive meget af den avancerede anvendte kryptografi.

Finally generation 3 is just an improvement in so many areas. Security, flexibility, user experience... It is destined to take over, one way or the other.

Endelig er generation 3 bare en forbedring på så mange parametre. Sikkerhed, fleksibilitet, brugeroplevelse... Den er dømt til at tage over, på den ene eller anden måde.

That said, not everyone want this change. It is being antagonized. It is worth noting that some large IT companies are going to lose revenue and influence when SSI takes over. So there are strong forces among those that are resisting. But I think, as I wrote, that the most they can do is to delay the process.

Når det er sagt, er det ikke alle der ønsker ændringen. Den bliver modarbejdet. Det er værd at nævne at nogle store IT virksomheder vil tabe indtægter og indflydelse når SSI tager over. Så der er stærke kræfter blandt dem der stritter imod. Men jeg mener altså at de højest kan forsinke processen.

It looks like the transition will be taken in many small steps. As a lot of the current work in this area, is to combine technologies from generations 2 and 3 into different transitional hybrid solutions.

Ændringen ser ud til at ville blive taget i mange små skridt. Da meget af det arbejde der gøres indenfor området, går ud på at kombinere teknologierne fra generation 2 og 3 i forskellige hybride overgangsløsninger.

Looking ahead, the transformation will probably look like this.

Ser man fremad, vil skiftet sandsynligvis ligne dette.

core technologies relevance over time kerneteknologiernes relevans over tid

Related:
Black boxes for security
MFA

Relateret:
Black bokse til sikkerhed
MFA

Made by a human Licenses RSS feed
Made by a human Licenser RSS feed