New privacy-preserving SSO algorithm hides user info from third parties

Over the last few decades, as the information era has matured, it has shaped the world of cryptography and made it a varied landscape. Amongst the myriad of encoding methods and cryptosystems currently available for ensuring secure data transfers and user identification, some have become quite popular because of their safety or practicality.

SSO algorithm

For example, if you have ever been given the option to log onto a website using your Facebook or Gmail ID and password, you have encountered a single sign-on (SSO) system at work. The same goes for most smartphones, where signing in with a single username and password combination allows access to many different services and applications.

SSO schemes give users the option to access multiple systems by signing in to just one specific system. This specific system is called the “identity provider” and is regarded as a trusted entity that can verify and store the identity of the user. When the user attempts to access a service via the SSO, the “service provider” asks this identity provider to authenticate the user.

SSO advantages and privacy concerns

The advantages of SSO systems are many. For one, users need not remember several username and password combinations for each website or application. This translates into fewer people forgetting their passwords and, in turn, fewer telephone calls to IT support centers.

Moreover, SSO reduces the hassle of logging in, which can, for example, encourage employees to use their company’s security-oriented tools for tasks such as secure file transfer.

But with these advantages come some grave concerns. SSO systems are often run by Big Tech companies, who have, in the past, been reported to gather people’s personal information from apps and websites (service providers) without their consent, for targeted advertising and other marketing purposes.

Some people are also concerned that their ID and password could be stored locally by third parties when they provide them to the SSO mechanism.

A fast, privacy-preserving algorithm

In an effort to address these problems, Associate Professor Satoshi Iriyama from Tokyo University of Science and his colleague Dr Maki Kihara have recently developed a new SSO algorithm that on principle prevents such holistic information exchange. In their paper, they describe the new algorithm in great detail after going over their motivations for developing it.

Dr Iriyama states: “We aimed to develop an SSO algorithm that does not disclose the user’s identity and sensitive personal information to the service provider. In this way, our SSO algorithm uses personal information only for authentication of the user, as originally intended when SSO systems were introduced.”

Because of the way this SSO algorithm is designed, it is impossible in essence for user information to be disclosed without authorization. This is achieved, as explained by Dr Iriyama, by applying the principle of “handling information while it is still encrypted.”

In their SSO algorithm, all parties exchange encrypted messages but never exchange decryption keys, and no one is ever in possession of all the pieces of the puzzle because no one has the keys to all the information.

While the service provider (not the identity provider) gets to know whether a user was successfully authenticated, they do not get access to the user’s identity and any of their sensitive personal information. This in turn breaks the link that allows identity providers to draw specific user information from service providers.

The proposed scheme offers many other advantages. In terms of security, it is impervious by design to all typical forms of attack by which information or passwords are stolen. For instance, as Dr Iriyama explains, “Our algorithm can be used not only with an ID and a password, but also with any other type of identity information, such as biometrics, credit card data, and unique numbers known by the user.”

This also means that users can only provide identity information that they wish to disclose, reducing the risk of Big Tech companies or other third parties siphoning off personal information. In addition, the algorithm runs remarkably fast, an essential quality to ensure that the computational burden does not hinder its implementation.

Only 54% of security pros have a written policy on length and randomness for keys for machine identities

People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines also need to authenticate themselves to each other so they can communicate securely, relying on cryptographic keys and digital certificates, which serve as machine identities.

keys for machine identities

To better understand the gap between implementation of security controls for human identities and those for machine identities, Venafi evaluated responses from over 1,500 IT security professionals from the U.S., U.K., France, Germany and Australia across a range of company sizes and industries.

Just half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities.

Additional findings

  • Less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords.
  • Only 55% have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords.
  • Only 42% of organizations automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.
  • Only 53% audit how often certificates and private keys should be changed, compared with 73% for passwords.

Orgs just getting started with machine identity protection

Organizations will spend over $10 billion protecting human identities this year, but they are just getting started with machine identity protection. However, the number of humans on enterprise networks remains relatively flat while the number of machines that need identities – including virtual machines, applications, algorithms, APIs and containers – is growing exponentially. Because cybercriminals understand the power of machine identities and their lack of protection, they target them for exploitation.

“Identities are widely recognized as a key element in the threat landscape,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.

“Machine identities are a relatively new, and very effective, point of attack, but there is a huge gap between the security controls applied to human identities and those applied to machine identities. This is a problem because the future of digital business relies heavily on machines.

“Enterprises are seeing dramatic growth in container usage, artificial intelligence, microservices and IoT devices, as well as machines in cloud and virtualized environments. Everyone – from CISOs to security architects and security practitioners – must prioritize the protection of machine identities for their organizations’ digital transformation to be successful.”

New account fraud has more than doubled since 2014

New account fraud increased 27.8% worldwide YTD in 2019, compared to full-year 2018 results, and more than 100% compared to 2014 levels, Jumio reveals.

new account fraud

Surprisingly, attempted new account fraud was 19% less during the Black Friday/Cyber Monday weekend (compared to the average 2019 fraud levels), when fraud attempts normally escalate.

Often, the first step in identity theft starts by creating a new account online. Identity theft is the deliberate use of someone else’s identity (e.g., name, address, Social Security number, bank accounts) to get money and credit and make holiday purchases. But, identity theft is also being used to perpetrate online fraud, steal property, falsify educational and other credentials, access healthcare and launder money.

“As cybercriminals perfect and fine-tune their impersonation efforts, it’s getting more difficult for modern enterprises to distinguish between high-risk from low-risk users — and this is only going to accelerate thanks to large-scale data breaches, the evolution of the dark web and the looming threat of identity theft,” said Philipp Pointner, Jumio’s chief product officer.

“All too often, companies rely on traditional methods of identity verification which are not well equipped to detect sophisticated methods of new account fraud.”

Additional findings:

  • New account fraud increased to 1.8% in 2019, a 106.8% increase over 2014 levels. During this year’s holiday period, new account fraud dipped to 1.5% which was still more than 80% higher than 2014 holiday levels.
  • The Asia-Pacific region experienced the highest rates of full-year fraud at 3.27% while the U.S. had the lowest rates of fraud at 0.88% — a trend which has been pretty consistent over the last six years. While the U.S. experienced lower holiday fraud rates in 2019, new account fraud was still 138% higher in 2019 compared to 2014 levels.
  • Fraud levels in emerging markets, while varied, were significantly higher than developed markets.
  • The cryptocurrency and online gaming/gambling industries experienced higher-than-average fraud levels while the sharing economy and travel and entertainment industries experienced minimal fraud levels (i.e., less than 0.6%).