Threats

Comparing Secrets vs. Signatures For Authentication

In high-stakes enterprise cybersecurity, strong access controls are critical because account takeover is a primary entry point to a corporate network. Authentication methods are central to access control implementation and effectiveness. A comprehensive authentication scheme may use multiple factors to achieve authentication and these factors are broken down into (1) something you know (e.g., a secret password or PIN number), (2) something you have (e.g., smartphone or hardware access token), and (3) something you are (e.g., biometric fingerprint or facial recognition).

In this article, we will compare the traditional "something you know" (aka secrets) with "something you have" in the form of a public/private key pair and weigh in on their pros and cons.

Authentication secrets

Authentication secrets are confidential pieces of information, such as passwords, PINs, and MFA one-time-passcodes (OTP) that users provide to verify their identity during authentication. Secrets rely on the assumption that only the legitimate user possesses this unique knowledge. However, there are significant drawbacks associated with secrets. 

If stolen, secrets can be used in replay attacks to impersonate the user and potentially gain unauthorized access. Also, if secrets are predictable they can be brute-forced (aka "cracked") using various methods.

This means the secrets must also be complex leading to the current standard of difficult-to-remember complex pseudo ransom passwords that often must meet an array of requirements such as minimum length and including special characters to increase keyspace. This has pushed the authentication form of "something you know" to look more and more like "something you have" as users flee to password managers to hold all their complex secrets thereby requiring them to have their password manager installed into their browser and mobile device.

Secrets are also vulnerable because they are passed directly over the wire (aka in-transit) and are therefore susceptible to replay attacks. So, in order to protect against the inherent weakness of secrets, security architects have layered on additional methods to increase protection such as HTTPS layered encryption, multi-factor authentication, and even contextual analysis of geolocation, and behavioral patterns. Looking at the big picture, the use of secrets for authentication has proven to be quite insufficient indeed.

Authentication signatures

What are digital signatures for authentication? Digital signatures provide authentication in an inherently different way than secrets do. Digital signatures (also known as public key infrastructure or PKI) use a key pair consisting of a private key and a public key to perform authentication. In a nutshell, the user who wants to prove their identity pre-shares their public key with the service that wants to verify their identity. The public key doesn't have to be protected as we will see in a moment, which is why it's called the "public" key. When the user wants to authenticate, they perform a mathematical function on an arbitrary piece of data (a digital signature) and then pass that original data along with the "signed" version to the service holding their public key. The service can then mathematically determine that the signed data was created with the corresponding private key. 

The main advantage of digital signatures for authentication is that they do not transmit a replayable piece of data during the authentication process. This fact prevents the possibility of replay attacks. However, we should note that signatures still rely on protecting a secret: the private key must be protected to ensure that only the authorized person can access it.

Combining the fact that digital signatures are not replayable and that private keys never need to be sent over the wire, it's safe to say they provide a more secure alternative to secrets. They also ease the burden of humans remembering something meaning they are less likely to be written down. They are exponentially more difficult to brute force than even the most complex traditional login passwords.

Replacing Secrets With Signatures 

There are multiple signature options to replace secrets. These include:

Secure Quick Reliable Login

SQRL (pronounced "squirrel") stands for Secure Quick Reliable Login, a modern, user-friendly, and secure digital signature-based authentication system developed as an alternative to the traditional username and password-based logins.

When a user wants to authenticate with a website, the site presents a unique QR code or URL. The user's SQRL mobile app or browser extension scans the QR code or clicks the URL, digitally signs the authentication request, and sends the signed response back to the site.

Apple, Google, And Microsoft Introduce "Passkeys"

Passkeys are a new signature-based authentication technology introduced by Apple, Google, and Microsoft, aiming to replace traditional passwords for users at scale. Stored on a user's device, passkeys use digital signatures for authentication, reducing the risk of credential leaks and replay attacks. Users can quickly unlock their private keys with a biometric check, such as fingerprint recognition or face ID meaning their private key is encrypted while on the device.

Passkeys can also be synchronized across devices using services like Apple's iCloud Keychain or Google's Chrome password manager, making for a fairly convenient login experience. However, to use passkeys, users must have their device with them, as logging in from another device without their own is impossible. Passkeys are now available on iOS 16, they will soon be introduced to other platforms, including MacOS Ventura, Android, Chrome, and Windows. 

Hardware Security Tokens

Hardware security tokens are physical devices that hold private keys and can perform digital signatures. They provide an additional layer of security in authentication processes and are commonly used in multi-factor authentication (MFA) schemes and signatures are typically performed by simply plugging in a small USB device or passing it by an NFC reader such as the one included in most mobile phones.

The generated signature is then sent to the service or system, which verifies it using the corresponding public key. The huge benefit of hardware security tokens is that the private key cannot be extracted from the hardware token making them immune to digital theft or "Stealer" malware. Since the private key is securely stored within the physical device, attackers cannot extract it using traditional software-based attacks. This advantage makes hardware security tokens a robust option for securing sensitive data and transactions.

The one drawback to hardware tokens is that they are still susceptible to physical theft and if stolen advanced hardware tampering may allow extraction of the private key. However, in an MFA scheme, the authentication process would ideally not only rely on the possession of the hardware token for sensitive processes.

Signatures Are Imperfect

While digital signatures offer a more robust solution than authentication secrets, it is essential to acknowledge and address their potential vulnerabilities to maintain a high level of security in authentication processes. Digital signatures have potential vulnerabilities, including weak algorithms, flawed implementations, and stolen private keys. 

It's important to use strong cryptographic algorithms such as ones that have been approved by reputable cybersecurity standards organizations such as CISA, NIST, FIPS, and SANS. However, even a theoretically solid algorithm can be undermined by a weak implementation. Follow best practices during the design and implementation of PKI authentication schemes including both dynamic and static application testing to reduce the potential of allowing bugs in the implementation. Finally, implementing strong endpoint and network security to protect the devices that private keys exist on. 

While digital signatures are not perfect, they are considered better than secret-based authentication allowing a higher level of security in authentication processes.

Conclusion

Although a perfect authentication scheme indeed doesn't exist yet, and may never be possible, digital signatures have emerged as a more secure alternative to traditional secrets in authentication processes. The adoption of this technology by apps and websites is expected to increase gradually, offering enhanced security and convenience for users. 

Signatures, such as those employed in public key infrastructure (PKI), offer enhanced protection against many common attack vectors. The main vulnerability in digital signatures lies in the protection of private keys.

However, securing private keys is often more manageable than protecting passwords, as they never need to leave the device. By leveraging modern solutions like hardware security tokens, passphrases, and secure storage solutions, users can effectively safeguard private keys and strengthen the overall security of authentication systems.

Ready to examine your organization's existing level of security? Book a Cyber Maturity Assessment today or fill out the form below to receive our informative Buyer's Guide.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.