Hardware Security Modules generate, manage and store the secure cryptographic keys that are required for authenticating a user or device in a broader network. Get in touch at hsm@utimaco.com to learn more about the Utimaco HSM offering supporting user & device authentication!
Strong authentication using Hardware Security Modules
How to securely confirm digital identities of users and devices
Authentication is a process that verifies the identity of a user or device. It can be part of a broader identity and access management process that continuously authenticates subjects in a system.
Is a subject really what it claims to be? This is what the authentication process confirms by means of various authentication mechanisms. Users e.g. may confirm their claimed identity via:
- “Something they know”, e.g. password, PIN or security questions
- “Something they have”, e.g. smart card, token or smartphone for receiving a one-time password (OTP)
- “Something they are or do” (based on biometrics), e.g. fingerprint, face, iris or signature
- “What they do”, which is related to continuous identity verification based on user behavior in a system and abnormal pattern
- Or a combination of the above
Certificate-based authentication uses a digital certificate to authenticate users, but beyond that also machines, devices and IoT endpoints (using “something they have”). Advantages include ease of use – often happening automatically without the intervention of the user – and mutual authentication of the user or device to the network or system and vice versa.
Due to the sheer number of connected users and devices, and the increase in cloud-based services, secure identification and authentication are business-critical nowadays. Simple passwords are not sufficient anymore to get access to a network, system, resource or application, and regulations and industry-specific standards have come into place that require stronger authentication mechanisms.
Major concepts around authentication defined
- Identification – A user or a device (“a subject”) claims an identity.
- Authentication – Making sure the subject is, what it claims to be. This requires confirming the claimed identity, e.g. by presenting a password or a certificate, or using a smart card or fingerprint scan. Various distinct types of user authentication mechanisms exist, based on their knowledge, possession, biometrics or behavior.
- Single-factor authentication – With only one single authentication mechanism being used, this type of authentication can be vulnerable and offers little fraud protection.
- Two-factor authentication – A minimum of 2 authentication mechanisms from 2 different categories are used. Consequently, this approach is more secure and less likely for hackers to attack successfully.
- Strong authentication = multi-factor authentication – This approach involves more than two authentication mechanisms of different types to prove the identity of a user or device.
- Authorization – Once a user or device identity is confirmed, authorization mechanisms grant or deny access to specific data, files or applications.
Whether you need to authenticate employees or their devices in your network, machines in your production environment, customers using a cloud-based application or payment transactions – in all these cases, the use of an HSM as hardware Root of Trust ensures maximum security.
Application scenarios – Payment authentication & PSD2
The banking and financial services market has the most stringent security regulations and has a long-standing history of using security mechanisms such as authentication. Recent breaches and subsequent tightening of security measures are expected to bring biometric authentication into the focus of attention for future-proof authentication.
As part of the second Payment Services Directive (PSD2, since January 13th 2018), the EU will introduce stricter requirements for authenticating online payments as from September 2019. These are known as Strong Customer Authentication (SCA) and complement PSD2 as part of the European Commission’s Delegated Regulation on regulatory technical standards (RTS). They will significantly impact how users are identified and authenticated, involving at least two of three authentications methods (knowledge/possession/inherence). Biometrics (inherence) such as fingerprints will be more widely used as a highly secure way to identify individuals. Important prerequisites are the secure storage of biometric data and use of a public key infrastructure, which is ideally backed by an HSM for managing cryptographic keys. With these new requirements, the EU aims at reducing online payment fraud and identity theft.
Application scenarios – The role eIDAS plays
A standardized electronic identification system across the European Union facilitates strong and straight-forward authentication mechanisms. The related standards as defined in the eIDAS regulation (EU) N°910/2014 are fully taken into consideration for maximum security, e.g. with qualified certificates for website authentication or qualified certificates for payment providers’ electronic seals.
Application scenarios – Conditional Access
Identification and authentication mechanisms are a prerequisite to implement conditional access. A securely identified user or device is granted access to a network, system, data or other when meeting a specified set of criteria.
- A best-in-class case: Microsoft offers user access based on geolocation or IP address (location-based conditional access) and ensures that only registered and approved devices get access (device-based conditional access). Conditional access schemes and policies are deeply integrated into Microsoft solutions that manage access to applications on promises or in the cloud with fine-grained controls and based on a multitude of conditions.
- In the media and entertainment industry, conditional access (CA) and digital rights management (DRM) are two key concepts to ensure proper authentication and authorization. CA has been widely used for TV streaming, ensuring that only customers/users with the appropriate receiver and valid decryption key can “unscramble” a film or media stream. Hence they get access to that content if one or multiple conditions are met. Most keys are valid for a short / specific time frame only, so that stealing and decryption of this key is basically useless. The key will have already been replaced by a subsequent key.
Application scenarios – Digital Rights Management
Although similar to CA in terms of intent, i.e. limiting access to content for authorized/paying users, DRM usually protects a specific “piece” of content at rest or in transition. It allows users to access the content and defines the when, how, how long/often, on which device(s), etc.
Related Utimaco case studies
/ Utimaco & Irdeto case study
Irdeto – Protecting Valuable Media Assets from the Threat of Piracy
The way we access and consume video content has changed dramatically in recent years. The new Pay TV landscape means that consumers have a wealth of choice from content which is broadcast and consumed on set top boxes to OTT content delivered to any device.
/ Utimaco & InWebo case study
InWebo – Protecting digital identities: secure, simple and cost efficient
As banking, payment, and financial services shift massively to web and mobile, fraud opportunities multiply. Cars get connected and in-car & cloud services sprout. Cybersecurity issues raise safety & privacy concerns. The motivation: protecting digital identities for any industry.
