Pomcor has recently been granted US Patent 9,887,989 on a multifactor cryptographic authentication technique that uses a cryptographic key pair in conjunction with a password and/or a biometric key while protecting the password and biometric data against back-end security breaches. All our patents are available for licensing.
At the last Internet Identity Workshop we demonstrated single factor cryptographic authentication, not covered by the patent, where a key pair stored in browser local storage is used instead of a password for authentication to a web application. (A proof-of-concept implementation of a simple web app is available in the PJCL web page and described in the previous post.) Cryptographic authentication has huge advantages over password authentication, as passwords are vulnerable to back-end database breaches, phishing attacks, and password reuse at malicious or insecure sites. But when used in multifactor authentication, a password provides the unique benefit of being something that the user knows, independent of something that the user has (a device that contains a private key or is able to generate or receive one-time codes) and something that the user is (a biometric feature). Our latest patent discloses a novel multifactor authentication technique where a password can provide this benefit while being immune to the vulnerabilities of conventionally used passwords.
The patent describes a variety of embodiments for two-factor authentication with a key pair and a password, two-factor authentication with a key pair and a biometric key, and three-factor authentication with a key pair, a password, and a biometric key.
In a two-factor embodiment with a key pair and a password, the user of a web application registers the password and the public key component of the key pair with the back-end of the application. Instead of storing the public key and a salted hash of the password, the back-end stores a joint hash of the public key and the password, then deletes the public key and the password. At authentication time, the browser obtains the password from the user and sends it to the back-end, in addition to sending the public key and proving knowledge of the associated private key. The back-end computes the joint hash of the public key and the password, verifies that it coincides with the stored joint hash, and deletes the public key and the password.
As the European GDPR is about to go into effect, an important benefit of only storing the joint hash of the public key and the password is that such hash by itself is not sensitive data that requires breach notification if compromised. An attacker who breaches the back-end database and obtains the joint hash cannot mount a brute-force or dictionary attack against the password without knowing the public key, which is unconventionally treated as a joint secret between the browser and the back-end.
In another two-factor embodiment with a key pair and a password, the password is hashed with a secret salt, which is stored in the browser along with the key pair, before being sent to the back-end at registration time and later at authentication time. (A salt is typically not secret, but it may be secret is some atypical cases, as noted in RFC 5869; our use of a secret salt is one such atypical case.) The password is thus protected against exploits of other back-end vulnerabilities besides database breaches, and against phishing attacks and reuse at malicious or insecure sites.
Other two-factor embodiments use a biometric key, instead of a password, in conjunction with a key pair. A biometric key is a datum derived from a biometric sample (or from a biometric datum such as an iris code itself derived from a sample) that can be consistently reproduced from varying but genuine samples. One way of generating a biometric key is to use a revocable biometric cryptosystem, or revocable biometric scheme, where a biometric sample is combined with random bits to produce the key plus helper data. Using error correction techniques, the biometric key can later be reproduced from a different but genuine sample.
A revocable biometric scheme provides two important security and privacy benefits. First, because the key and helper data are randomized, they can be changed if compromised. A biometric key is thus revocable (hence the term “revocable biometrics” used to refer to such schemes). Second, in a revocable biometric scheme it is deemed computationally infeasible to derive useful biometric information from the helper data.
In a two-factor embodiment with a key pair and a revocable biometric key, the helper data is stored in the browser, and the biometric key is computed by the browser and sent to the back-end at registration and authentication time instead of the password. In another two-factor embodiment with a key pair and a revocable biometric key, the helper data is stored in the back-end and the biometric key is computed by the back-end from the helper data and biometric data such as, e.g., an iris code. In both embodiments, capture of the helper data by an attacker is not deemed to be a security or privacy compromise.
An advantage of computing the biometric key at the browser is that the consistently reproducible biometric key can be hashed with a secret salt before being transmitted to the back-end. An advantage of computing the biometric key at the back-end is that it can be computed from a biometric sample transmitted by the browser with presentation attack detection by the back-end.
In three-factor embodiments, the public key is hashed with both a password and a biometric key, each possibly hashed at the browser with a secret salt.