Free Trial
Contact Us
Podcast

Root Causes 11: Authentication Is Not for the Authenticated

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
April 9, 2019

With so much debate about the role and importance of authentication in digital systems, it is important to remember the purpose of authenticated identity in our cyber interactions. Join us for a discussion of who benefits from known identity, what can go wrong when identity is obscured, and why ecosystems must include incentives for members to participate in identity authentication.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanI'm excited because we’re talking about a topic that’s dear to my heart, which is that the concept that authentication is not for the authenticated.
Jason SorokoJason SorokoThat’s a great way of putting it.
Tim CallanTim CallanI’ve been talking about this a long time with a lot of people. In the world of public certificates and public trust, one of the things that I notice that comes up over and over again is that IT decision makers and people who operate websites and digital systems at companies are used to thinking about the direct benefit to their businesses of the solutions they purchase. And certificates are a little unusual in that regard in that authentication, as I said, is not actually for the authenticated.
Jason SorokoJason SorokoYeah. Yeah.
Tim CallanTim CallanAnd what I mean by that is, you know who you are, right Jay?
Jason SorokoJason SorokoI think so most of the time.
Tim CallanTim CallanYes, and I know who I am. And oftentimes when you talk to people at companies their attitude is, “Well, we know who we are. We know we’re our company. I don’t need anybody to tell me that I'm this company.” And that’s true, you don’t, but how often do you or I deal with other people in the world who don’t necessarily know us by sight, and how do those people trust that we are the individuals that we claim to be?
Jason SorokoJason SorokoI don’t think Alice always has met Bob beforehand.
Tim CallanTim CallanRight. If you and I happen to be in the same place, I look up and I say, “Oh, there’s Jay.” It’s easy. But if I don’t know you there needs to be some mechanism to know who you are, and this is where in the offline world, we wind up using things like passports.
Jason SorokoJason SorokoIf you and I wanted to do business together, right, we want to have a transaction, back in the old day it was, “Meet me at this house and knock three times, and I’ll know it’s you.” We have a term for that in our world which is a shared secret. But that necessarily means that there had to be a pre-existing relationship.
Tim CallanTim CallanSure.
Jason SorokoJason SorokoNow in a digital world we’re seeing so many use cases where that just doesn’t exist.
Tim CallanTim CallanEven if we stay in the old world but not quite that old, it used to be when I was young if you wanted to pay with a check at a store, back when people used to do that, you would show them your driver’s license. That was the same thing. It’s like I don’t know that you are, Bob, but if you show me your driver’s license and it matches what’s on your checkbook, now I have authentication in place. In the offline world we do this a lot. My great example, again, is the passport. Jay, do you have a passport?
Jason SorokoJason SorokoI do.
Tim CallanTim CallanDoes your passport have your name on it?
Jason SorokoJason SorokoIt does.
Tim CallanTim CallanDoes it have your picture on it?
Jason SorokoJason SorokoIt does.
Tim CallanTim CallanIs that because you don’t know who you are?
Jason SorokoJason SorokoNo, I know exactly who I am, and in fact sometimes when I look at that picture, I can’t believe that’s me.
Tim CallanTim CallanSo why do you have a passport?
Jason SorokoJason SorokoI have a passport in order to assert who I am to other people.
Tim CallanTim CallanCorrect. And if you did not have a passport what are some of the things that would be problematic?
Jason SorokoJason SorokoI probably couldn’t cross an international border. A number of other issues that I'm sure would come up.
Tim CallanTim CallanRight. I use my passport routinely. I have a passport card and it’s the thing I use every time I get on an airplane, even if I'm flying domestic. When I’ve prepaid for my hotel because I got a good rate online, I have to show them my ID before they give me my key. When I go to pick up a package. There are all kinds of occasions where I need to prove who I am, and in my case it’s always my passport card because I just have it. And without that all those opportunities would be lost to me.
Jason SorokoJason SorokoIt’s globally trusted. Even though we’ve seen the Jason Bourne movies where he’s carrying a bunch of passports, generally people trust it when you hand one over.
Tim CallanTim CallanGood point. The Jason Bourne movies illustrate another principal that we might return to, which is that a perfect is not necessary for good to be worthwhile. In his case maybe someone can make a fake passport, but almost all the passports you see are going to be real, and the level of trust is high enough that you can go with that. So in the digital world what’s our equivalent of a passport? It’s a certificate.
Jason SorokoJason SorokoYes sir.
Tim CallanTim CallanIn fact, that’s built right in to the word. Why do we call them certificates? Because they certify. And what do they certify? Every certificate without exception in one way or another certifies identity.
Jason SorokoJason SorokoAnd it’s a certificate authority that is etc., etc.
Tim CallanTim CallanIs the one that’s trusted to certify. Now if you own your own world, if you have a walled garden, you can be the Certificate Authority. So if I have a bunch of devices that are going to live inside my firewall and I want to be the Certificate Authority, I sit at the top and I say, “I'm the CISO, and I'm going to say which devices are real and which devices are not because I'm the source of truth.” That’s perfectly great. But when we get out into the world, when we’re out in the DMZ, you can’t do that anymore. There needs to be an independent authority, and that’s what the public CAs wind up being.
Jason SorokoJason SorokoThat’s right.
Tim CallanTim CallanNow what’s all this about authentication not being for the authenticated? We go back to the idea of saying, “Ok if I'm out in the DMZ, if I'm using, let’s say, SSL certificates because I want to stand up websites and anybody anywhere in the world can come to my website and initiate a sensitive transaction. They can open account, pay with a credit card, access PII or PHI or things along those lines. How do I assert that I am really who I claim to be?” And that’s where those public Certificate Authorities come in.
Jason SorokoJason SorokoTheir stamp of approval, essentially. You get your stamp approval from theirs.
Tim CallanTim CallanThey’re vouching for you.
Jason SorokoJason SorokoYeah.
Tim CallanTim CallanThen it comes to the question, what are they vouching for? And in the world of SSL there are actually tiers of authenticated identity that are available. At the lowest level you can get what you call Domain Validation, or DV. And what does Domain Validation tell us?
Jason SorokoJason SorokoIt basically means that you’ve proven to a Certificate Authority that you are in possession of the domain.
Tim CallanTim CallanRight. It says that I am really on ABCD.com. I am not on ABCDE.com. It doesn’t say anything, though, about who the heck it is.
Jason SorokoJason SorokoNot at all.
Tim CallanTim CallanWho is running ABCD.com.
Jason SorokoJason SorokoNothing.
Tim CallanTim CallanNow, there’s a different kind of certificate that we call an Extended Validation certificate, and what’s the capsule summary of the difference between that and a Domain Validated certificate?
Jason SorokoJason SorokoYou have to go through a fairly lengthy process typically in order to prove the fact that you are a legal entity. Essentially the validation of the business that is in possession of that domain.
Tim CallanTim CallanExactly correct. There are codified rules that are known to be highly effective that the public CAs must follow, and what they do at the end of that is they assert that this is a certain company. Not only do you control this domain, that still needs to be there, but that this is a specific company. This is the name and location of the company, and the person who got the certificate got it on behalf of that company.
Jason SorokoJason SorokoThat’s exactly right.
Tim CallanTim CallanAnd that means when I go to a website that has an Extended Validation certificate as a consumer, I now know that this actually is E*TRADE because there’s an Extended Validation certificate, let’s say, sitting on the E*TRADE site. And therefore, I know that it’s not somebody who’s pretending to be E*TRADE who is trying to steal my login credentials so they can go into my account and somehow steal my personal wealth.
Jason SorokoJason SorokoIf I get an email that claims to be PayPal. Click on the link. My browser opens up. My browser does not show green and all of a sudden, I am on PayPal.AndresBackyard.com. I pretty much know I'm not at PayPal.
Tim CallanTim CallanSo right. So that becomes the benefit for the end consumer, right? It’s this strange situation that’s very unusual in the world of IT purchasing where the purchaser is purchasing for the benefit of an outside party.
Jason SorokoJason SorokoYes.
Tim CallanTim CallanI am obtaining certificates and the choices I make make a difference to how secure the person who comes to my website is.
Jason SorokoJason SorokoIt’s a very important concept. Especially if I think about myself as a financial institution, I'm doing very serious business with people on the internet. I want people to know when they knock on my door, they’re knocking on my door and not somebody else.
Tim CallanTim CallanYou’re perfectly segueing into a good point which is, ok so why would I do this? If this certificate is to my benefit then I know why I would get it. But if this superior certificate is to someone else’s benefit in a world of pure capitalism and purely pragmatic, self-serving behavior, why would I get this at all?
Jason SorokoJason SorokoWell if my customers were routinely being drawn off to fraudsters, my customers are going to be upset.
Tim CallanTim CallanAbsolutely. First and foremost, it’s just plain brand reputation. You do not want your brand name associated with bad things. Someone going to a website and getting their stuff stolen is a bad thing, and you don’t want your brand associated with it. Very closely related to that is the idea that you want to project that you are doing the right thing for your customer and so showing your customer “Look, I'm here and it’s really me” is a way to communicate that.

That’s a good thing as well, but there’s also a concrete benefit which is research has indicated that when people see these company names that are usually in green sitting there in the browser, what we shorthand we call the green address bar, that they’re actually more likely to engage with the website. They’re more likely to complete a transaction or open a new account or use an online account they already have. They’re more likely to stay on the site, less likely to bounce. All those benefits are directly going back to the business who stands up the site.

If you think about it, it makes sense. If people can trust that they’re not being defrauded and they’re not being duped, then people will be more likely to engage in what they consider to be sensitive interactions than if they can’t trust that.
Jason SorokoJason SorokoAnd it’s not just about pure fraud. It’s about credential harvesting. You know I'm not going to enter anything into a form about my personal information or definitely not my username and password for something unless I have a really good idea of what site I'm on.
Tim CallanTim CallanAbsolutely. All kinds of data get mined. Social media data get mined and used in spearfishing and other kinds of social engineering attacks, and even things like your address can be gathered and then that can be matched up with other information, and so the level of sensitivity people have to engage in anything that seems even remotely online is high. So the connection there is valid, because now we can come back and see the benefit. Even though I know what business I am there are direct benefits, bottom-line benefits to my business if I ensure that other people know what business I am as well.
Jason SorokoJason SorokoIf I'm on a site where I'm just casually browsing and something catches my eye on the site, the chance of me impulse buying could be a heck of a lot higher if I see that green bar.
Tim CallanTim CallanWhen running your average day as an IT decision maker, people aren’t necessarily connecting the dots on that, but it’s very important for them to remember that this is an unusual technology purchasing decision and the decisions they make are going to affect their companies in ways beyond just what’s in front of them on their screen right now.
Jason SorokoJason SorokoIf you really want to think about it as a business, if you really want to extend the olive branch to a prospective customer, showing them the respect of proving who you are digitally on the modern internet is one way of doing it.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud