Trustworthy authentication is difficult to achieve. Indeed, the past three decades in the world of cyber security have been spent proving that point. One does not need to look any further than Google search to find three of the major suppliers in the authenticator markets who have recently suffered cyber attacks that their own authenticator products failed to block. The same results are found if searching for hacked identity providers and password managers.
AffirmID is an identity provider platform and service built on the industry’s three decades of trials and failures. Knowing what had been tried and failed enabled AffirmID developers to avoid mistakes of the past. As a result, AffirmID authentication is simple, safe, secure, and above all else, trustworthy.
This informational website is dedicated to explaining how we accomplished what had previously appeared to be impossible. Please visit AffirmID.net for pricing, availability, sales, service, and support. There may be passages where technical terms and complexity appear excessive and unclear to those who continue reading. This is just a heads-up from Team AffirmID management…
What is AffirmID
As a result of its fully automated personal identity recognition system, AffirmID Auth provides individuals with increased levels of personal privacy and account security, as well as reduced levels of friction.
Security at the endpoint is an essential component for organizations of any size. A significant step toward achieving that goal of increased security is taken with the implementation of the requirement that trusted parties use AffirmID Auth. As a direct replacement for previous generations of authenticators, its multiple authenticators are certain to fulfill the majority of currently unmet requirements.
When online service providers encourage their account users to adopt and use AffirmID Auth, both parties derive significant benefits from the interaction.
Authentication determines a truth. Online authentication works by verifying a “digital identity.” Users’ digital identities are validated as part of remote user access. Their digital identity could take a variety of forms, each providing different levels of security and trust.
Level 1 ensures that the user has control over an authenticator associated with the user’s account. A single factor provides the bare minimum of security and trust. PIN, password, secret, or device such as FIDO2 token or phone app with no additional factors are examples.
By requiring the use of multiple factors, Level 2 provides improved confidence that the user controls an authenticator bound to the user’s account. A good example would be a FIDO2 token or app that supplements another factor, such as a memorized secret or a biometric.
Level 3 provides very high confidence that the user controls an authenticator bound to the user’s account, with proof of possession. An excellent example is secure Push or FIDO2 authenticator enabled by biometric proof of possession.
Where multiple factors are used its required all take an active roll in the authentication ceremony.
Every AffirmID Auth authentication ceremony includes three factors: knowledge, possession, and inherence. So, in theory, it operates at Level 3 and provides very high security and trust. However, because these levels ignore underlying protocols, this can be misleading, true for all authenticators. When security and trust are the goals, how the verifier communicates with the authenticator is critical.
Manually transferring OTP codes for OTP-based two-factor authentication is required. Thus, AffirmID Auth’s security and trust end with the display of an unredacted OTP code for user access.
The FIDO2 authenticator, like all others, communicates with the client via the CTAP protocol using USB, NFC, or Bluetooth. The client connects to the FIDO server using network standard protocols. A browser is commonly used as the client intermediary proxy. According to experts, all of this networking and proxy opens the door to MiTM and MiTB attacks, which can occur as a result of a successful phishing attack.
These risks are avoided by the AffirmID Auth push implementation. Its out-of-band session identifier and notification protocols, combined with the use of FIDO2 cryptographic public/private keys, eliminate the risk of a successful phishing attack. And it is only available to the original user who has been identified.
Note, Push authentication and passwordless authentication are often used interchangeably.
also known as MFA, is a term that is frequently used and abused in the context of authenticators. AffirmID Auth brings the unvarnished truth to its multi-factor authentication, so much so that advertising it is redundant. In every authentication ceremony AffirmID confirms three factors: the cell phone device you’re using, your BioPIN, and biometrics of your behavioral traits. In NIST parlance, something you have, something you know, and something you are.
Some facts on factors. An authenticator device whether cell phone or a token/key is a single factor, regardless of protocol, payload, or kind. Regarding cell phone authenticators NIST advises “the unlocking of such device (usually done via a PIN or biometric) SHALL NOT be considered one of the authentication factors.” When it comes to authentication strength, cyber experts say there is some assurance of identity when using a single factor with or without an OTP code, a high confidence of identity with proof of device possession of two different factors, and a “very high confidence of identity with proof of device possession and control of two distinct factors using secure authentication protocols” like FIDO or WebAuthn, an objective met by AffirmID Auth.
For a user demonstration of possession and control of the authenticator device, biometrics are the preferred method. In almost every situation, static biometrics like fingerprints or facial images are used. While static biometrics are accurate when used correctly, they expose users to annoyance from false negatives and, worse, the a high risk of false positives. Dynamic biometrics, such as those employed by AffirmID Auth, have a very low chance of false negative and almost no risk of false positive. Little or no frustration with assurance of device possession and control by the intended claimant.
During the authentication ceremony, dynamic biometrics are confirmed in real-time, guaranteeing the person in possession and control of the device at that time is its owner. AffirmID Auth does this by utilizing biometrics generated by the user’s behavioral features. Indeed, five distinct characteristics are used to improve accuracy and reduce or eliminate the likelihood of a false positive result. AffirmID Auth learns to know the user during a machine learning phase, which reduces false negatives. A clever solution to a difficult problem.
False results are common when using traditional biometrics such as fingerprint or facial image scanning. A false positive is extremely inconvenient and raises the risk of endpoint penetration and compromise. A false negative is always frustrating. The AffirmID Auth user is not vulnerable to the former due to the use of behavioral biometrics, and while the latter is possible, the likelihood is decreasing as AffirmID learns from its mistakes.
Improved OTP 2-factor Authentication
Two-factor authentication with OTP is well known, widely used, and frequently exploited. This acknowledgment spurred the incorporation of an OTP code authenticator with enhanced security. For example, OTP code redaction is applied to all code displays until selected and revealed by a user tap, a user whose identity was first verified before granting access to tap.
2FA, or two-factor authentication, dates back to 1986 and while enhancing authentication integrity left several well-known security issues vulnerable to hacker assault, with a significant increase in attacks beginning in 2019.
Allowing screen capturing of OTP code screens was one such attack vector of cell phone OTP apps. In 2020, at least one publisher began addressing this in Android apps. Apple prohibits apps from disabling screen shots, so iPhone users are out of luck.
Another important concern that dates back to its inception is storing 2FA secrets in plain text. Knowing this, hackers gather unprotected secrets that can be exploited to gain unauthorized access to 2FA accounts. Again, at least one OTP publisher began encrypting OTP secrets in 2022, providing little comfort to people whose OTP accounts and secrets predate this occurring.
The first risk is addressed with AffirmID Auth by redacting OTP codes until tapped benefiting both Android and iPhone users. Furthermore, it encrypts all internal data when not in use, including OTP code secrets.
To avoid the possibility of OTP secrets already stolen users switch to using AffirmID Auth with newly reregistered account secrets.
FIDO2 over Bluetooth provides a better and more secure two-factor alternative with less user friction, no codes to deal with. The three factor MFA aspect of AffirmID Auth also makes FIDO2 a viable passwordless alternative and using Bluetooth is like other USB alternatives but without the USB dependency.
FIDO2 over Bluetooth is a viable alternative to using USB with the caveat that cell phone pairing is a necessary one-time event.
FIDO2 is an excellent second factor in 2-factor authentication applications.
When used in passwordless applications FIDO2 is generally ill-advised as it amounts to single factor authentication. However, this caution does not apply to AffirmID Auth users because of its implicit 3 factor nature.
FIDO2 over Bluetooth in cases where the relying party is using AffirmIdP has the added security of out-of-band session identifier signaling. The benefits are cryptographic authentication without risk of MITM or replay attacks.
Push authentication starts by delivering an out-of-band session token in tandem with a notification message to a specific cell phone, which then returns a cryptographically signed response validating user authentication intent and device identity.
AffirmID Auth user identity recognition ensures the only person allowed to approve the Push authentication request message is the original user.
Unique cell phone identification ensures both Push notification source and destination thus preventing spoofing by clever hackers.
Out-of-band session signaling adds uniqueness to the authentication ceremony thereby eliminating risk of Man-In-The-Middle, session hijacking, or replay attacks.
WebAuthn cryptography attesting cell phone identity combined with session token response assures the relying party of a closed loop authentication ceremony fulfilled by a device associated to the account.
Authentication source confirmation, affirmed user identity, and confirmed cell phone identity results in impenetrable closed loop authentication. A well thought out and executed plan for each and every authentication ceremony.