Two Factor Authentication: Aadhar Data breach

With the alleged Aadhar breach in the headlines in the last couple of weeks, a common consensus has been that we as a country need to do more for the security and the privacy of our sensitive data. In this context, sensitive data is not just limited to the Aadhar information of a billion Indians, but also the trillions of dollars represented in financial information and transaction records of institutions and individuals that forms the basis of the economy.

With the introduction of additional security measures like biometric access and virtual ids, UIDAI has been quick to respond and that has instilled greater confidence in the system. But with the heightened awareness, more and more people are asking me how to make their systems more secure. In the last couple of weeks, I have had multiple conversation of similar nature, with individuals and institutions, so I thought I would summarize it here.

I use a strong password, isn’t that enough?

Passwords used alone are the weakest form of authentication for a system. The weakness in the system cannot be attributed to the password itself, but how we use it. Remember the twelve alpha-numeric and special characters in a specific sequence that you set as your password. Do this for the twenty plus services that you use on a daily basis and it becomes unreasonable. This cognitive overload is the primary reason even technology-savvy individuals set weak passwords. Some studies show that 76% of security compromises happen because of weak passwords. Hence, the need for a technology that involves more than just a password is clear. What can be a simple effective layer of additional authentication without increasing friction? Enter, Multi-factor authentication (MFA).

What is Multi-factor Authentication?

Multi-factor Authentication (MFA) is a method of confirming user’s claimed identity after successfully presenting two or three pieces of evidence: knowledge (something they and only they know), possession (something they and only they have), and inherence (something they and only they are). (Definition from Wikipedia)

Passwords suffice as the knowledge piece for evidence. Mobile devices, hardware tokens, cards are common ways in which the possession piece can be verified for evidence. Biometrics form the third piece for evidence in this equation. Any measure of security is not binary by definition, it’s on a spectrum, hence security will be the strongest when two or all three above are used in the strongest possible combinations.

Ok, so OTPs are the default way to go right?

SMS-based OTPs (One Time Passwords) are the most common form of two-factor authentication in the country. While it provides a good security cover, it is not sufficient for the most sensitive data. Let’s face it, how many of you shout the OTP across the room or copy the message over WhatsApp? How many of you have your notifications hidden so no one can peek into the OTP on your lock screen? Our social behavior and innovative way to reduce friction have reduced the effectiveness of the security layer significantly.

Wait, so is there is a more secure way?

A hardware-based two-factor authentication solution is relatively the strongest possible combination that’s currently available to be deployed at scale. It requires and effectively uses all three methods of evidence described above. The suggested tech stack involves a capacitive-touch biometric sensor (so much more secure as compared to the optical ones used today) and a physical piece of dedicated hardware using the secure micro-controllers and MIFARE solutions from NXP Semiconductor which supports hardware-based encryption. For example, a credit card has the biometric sensor embedded into it. It securely authenticates the fingerprint without any communication to other devices or services and can use Near Field communication or Sound waves to communicate the result of the authentication with other systems. This is the present and not the future. Ambimat is working on such systems already.

This piece of hardware gets plugged into any device just a normal USB drive and can be used to request information from the Aadhar servers. The communication will be based on a token released by the hardware into the device and thus get authenticated.

Wait, didn’t you start the article with the recent alleged breach of Aadhar information? How does all this come together?

Yes. My suggestion to UIDAI is that they implement hardware-based multi-factor authentication across all layers. They have already put biometric security in place at the highest levels, but since security needs to preserved through all layers of communication, I suggest that hardware-based MFA be made mandatory for KAUs, AUAs and the Sub-AUAs. The friction with other systems an application can be further reduced by use an open standard like FiDO, which is already in wide use across the Fortune 500.

What is FiDO?

FiDO or Fast iDentity Online is an open and scalable standard that enable simpler and more secure user authentication experiences across many websites and mobile services. The FiDO ecosystem enables better security for online services, reduced cost for the deploying enterprise, and a simpler and safer consumer experience.

In essence, Active bodies like iSpirt, should work with UIDAI to provide a test bed for the Aadhar infrastructure and run an open bug bounty program on it. In parallel, they can work with hardware designers like us to build a proof-of-concept that’s relatively more secure and has been tested in the open.

I firmly believe that this approach will help the UIDAI maintain and enhance the security of the platform and be better equipped to handle alleged breaches than before.

Ambimat Electronics has been actively involved in building hardware/software products for the security of your digital profile and for your organization. To know more about me or what Ambimat does I invite you to connect with me via LinkedIn or visit our website.

Leave a Reply

Your email address will not be published. Required fields are marked *