Automatic Dansk

Authentication for generations

Authentication in the digital world started in 1961 when passwords where invented at MIT. Since then authentication has gone through a number of generations.

Generation 0: The user enters username and password to the computer. The computer checks the password.

Simple as that. When done properly the computer has salted hashes to check the password up against. This type of authentication predates networks. Back when the computer would be a mainframe or a stand-alone computer. In that scenario generation 0 is perfectly adequate.

Generation 1: The user enters username and password over the network to the remote system. The remote system checks the password.

This is a continuation of generation 0 in a networked world. As it is woefully inadequate to just use generation 0 over the network, some remediating techniques were added, like challenge response and encrypted communication channels. When done right, generation 1 can be quite good, but it has a problem with scaling. A user using many systems, either needs to remember many passwords, which is not great, or to reuse passwords, which is really bad. Password managers were invented to alleviate this, but they are basically crutches with their own inherent problems.

Generation 2: The user enters username and password over the network to the IDP, that then gives the user an ID token. The user sends the ID token over the network to the remote system. The remote system checks the ID token.

This type of authentication came about to address the shortcomings of generation 1. ID tokens are cryptographically strong proofs for the authentication. The user only has one password. So scaling is great. The issues with generation 2 is the dependence on the IDP. It quickly becomes a single point, which amplifies problems with attacks, performance, failures et cetera.

Generation 3: The user enters the password to the end-user device, which unlocks its authenticator. The authenticator then authenticates over the network to the remote system. The remote system checks in the distributed ledger that the user is registered with the authenticator.

This is a fresh take on authentication. It lies within the paradigm that is called Self-Sovereign Identity (SSI). Some parts of generation 3 are well established, some are more or less in the making. This generation promises a good user experience, a decentralized resilient infrastructure, and not least very high security.

generations

It is quite exciting to see how generation 3 is taking shape these years. It will take something like ten years for it to be fully mature, but hardly more than three to be in widespread use. I see two major drivers for this development.

1: National and supranational push for SSI solutions.

In the summer of 2021 The European Union started drafting eIDAS 2.0. Possibly triggered by the COVID-19 experience. It turned into a revison to eIDAS for transforming it into a full SSI solution.

Milestones:
• approved in the European Parliament February 2024,
• first test service launched July 2024,
• technical requirements published November 2024.
Future targets:
• full implementation in EU member states September 2026,
• 80% of EU citizens and companies active users in 2030.

As a surprise to most observers, China launched their solution in December 2023. It is called China RealDID. Reporting on it is sparse, but it appears to have been gaining momentum since the launch.

2: We have reached a technological tipping point.

It seems that legacy banking and cryptocurrency by accident, each in their way has driven the development to a point where SSI is now feasible for real world solutions.

Legacy banking through requirements for doing payments from your private device. That gave us platform authenticators in practically every device there is today.

Cryptocurrency in developing and maturing ledger technology, and also driving a lot of the advanced applied cryptography.

Finally generation 3 is just an improvement in so many areas. Security, flexibility, user experience... It is destined to take over, one way or the other.

That said, not everyone want this change. It is being antagonized. It is worth noting that some large IT companies are going to lose revenue and influence when SSI takes over. So there are strong forces among those that are resisting. But I think, as I wrote, that the most they can do is to delay the process.

It looks like the transition will be taken in many small steps. As a lot of the current work in this area, is to combine technologies from generations 2 and 3 into different transitional hybrid solutions.

Looking ahead, the transformation will probably look like this.

core technologies relevance over time

Related:
Black boxes for security

Made by a human Licenses RSS feed