Updated August 8 2023
I have just revamped the cryptographic authentication page of the Pomcor site to reflect two major changes that are happening in internet identity and authentication:
- It is now clear that traditional MFA is vulnerable to MITM phishing attacks and cryptographic authentication is the solution. But the technology that the industry has bet on as a replacement, FIDO authentication, faces user experience (UX) challenges that have been impeding adoption.
- Governments are trying to issue digital credentials usable instead of physical credentials, and some are experimenting with verifiable credentials and self-sovereign identifiers. But a UL white paper has noted that the ISO/IEC 18013-5 standard, although entitled “Mobile driving licence (mDL) application”, can be used to define any kind of credential and is in direct competition with verifiable credentials. And the arguably most successful government app in the world, the Diia app of Ukraine, described in a presentation to the Canadian CIO Strategy Council shown in this YouTube video, uses neither verifiable credentials nor the ISO/IEC 18013-5 standard.
The revamped page includes a definition of the term cryptographic
authentication that manages to encompass authentication with
key pairs, public key certificates, anonymous credentials, symmetric key
credentials and verifiable credentials. It also includes a
classification of cryptographic credentials and authentication
methods, a recapitulation of the benefits and challenges of
cryptographic authentication, and a discussion of three hot topics unsettled issues:
- How to use cryptographic authentication to actually provide effective protection against MITM phishing attacks.
- How to let the user authenticate on multiple devices, and
- How
to provide protectionto combine the cryptographic factor with additional factors for protection against theft of the device that carries the credential.