The quest for impenetrable locks
Ever since the invention of the first lock, humans have strived to expose and exploit the vulnerabilities of these safety devices. In 1777, Joseph Bramah, the father of modern pneumatic systems, posted a sign on the window of his London storefront with a unique challenge. The challenge was simple: come inside and open a lock. He would reward you with the modern-day equivalent of $30,000 if you could do it. Bramah even published and distributed a pamphlet explaining the workings of his lock design, such was his confidence in its impregnability.
Bramah’s lock was designed with precision levers, arranged so that lifting them to the correct height would meet a shear line, permitting the key to turn and unlocking the padlock’s shackle. The substantial reward offered was a magnet for the gifted, but during Bramah’s lifetime, no one managed to pick the lock. Therefore, anyone who safeguarded their property with a Bramah’s lock was practically guaranteed safety. This perfect lock proved very profitable, and Bramah’s sons, who inherited the business, also benefited from their father’s ingenious invention.
Bramah’s unparalleled innovation and the ensuing challenge didn’t just pique the interest of hopeful lock-pickers but also other inventors and locksmiths of the era. Among them was Jeremiah Chubb, a man inspired by Bramah’s creation. Seizing the opportunity to advance the design further, Chubb introduced a notable modification. His version could detect unauthorized tampering attempts, signaling when someone had tried to pick the lock. Christened the “Detector Lock,” Chubb’s ingenious tweak was a testament to the fluid nature of innovation. While Bramah had laid a robust foundation for the modern lock, it was clear that the quest for the ultimate security device would always drive artisans to refine and reimagine existing designs. The success of both these locks underscored an era of unparalleled security advancements, setting the stage for future innovations in the realm of protective mechanisms.
From unbreakable to unlocked: The 52-hour feat
A.C. Hobbs, an American locksmith with a burgeoning reputation, confidently approached Bramah’s sons. Known in the U.S. for his unique skillset—cracking safes and subsequently selling banks his improved designs—Hobbs had recently made waves in England. At a world convention, he astoundingly defeated the Chubbs security lock in just 25 minutes, a feat that stunned the locksmith community. Bolstered by this triumph, he challenged the Bramah legacy, claiming he could breach their renowned lock. Intrigued, Bramah’s sons granted him a space above their store, setting a 30-day limit. If Hobbs failed within this timeframe, he’d have to concede defeat. A mere 52 hours in, he emerged victoriously with the open lock in his hand.
One can only imagine the dread of those who had purchased a lock of this design. For over 70 years, they had basked in the promise of absolute security—a locked door equated to a secure door. Although 52 hours might seem like a long time, the days of absolute physical security were unquestionably over.
The digital door: Cybersecurity in the modern era
Consider the deadbolt on your front door. You might be surprised to learn that its principles are essentially the same as those of the lock A.C. Hobbs picked in 1851. Spend enough time on the internet, and you’ll likely encounter videos of several amateur locksmiths skillfully defeating your exact model in less than a minute.
This poses a critical question: Are you secure because the locks on your doors are effective, or are you safe merely because those around you are unaware of their failings or too lazy to rob you? It’s a pertinent question and extends to other aspects of our lives, notably cybersecurity.
We’ve transitioned from a world of physical doors and locks to one of digital portals and GUIs. Personally, I’d rather have someone break into my house and steal a few possessions than hack into my bank account, open credit cards in my name or use my identity for illicit activities on the dark web. The security measures we can manage ourselves – usernames and passwords – are precarious for various reasons. With ever-increasing, affordable computing power accessible to all, most people’s password-protected accounts would be defenseless against brute-force attacks. The solution? Multi-factor authentication. You’ve heard the spiel: something you know, something you have and something you are.
Modern threats: When MFA is not enough
While Multi-factor Authentication (MFA) stands as a barrier in today’s digital defense strategy, evolving cyber threats prove that no system is invincible. Notably, phishing techniques—where attackers masquerade as trusted entities to deceive individuals into revealing sensitive information—have grown more sophisticated.
Central to this evolution is the Man-In-The-Middle (MITM) attack. In this method, attackers secretly intercept and relay communications between two parties. When a victim believes they are inputting their credentials or MFA code into a trusted site, the attacker captures this data in real time, allowing them to bypass even the most robust authentication processes. The fact that these credentials are being intercepted during a legitimate session makes it a particularly insidious threat.
Recent developments in phishing show attackers prompting users to enter their MFA codes under the guise of “security checks” or “account verifications.” Unwary users, thinking they are fortifying their security, are unwittingly handing over the very codes meant to protect them.
In some advanced MITM attacks, hackers seamlessly automate the entire process. Upon entering their credentials on a fake site, the attacker simultaneously enters the user’s information into the real site, gaining instant access and making it almost impossible for the user to realize they’ve been compromised until it’s too late.
For a clearer picture of how this all plays out, the video below showcases a real-time MITM attack in action, emphasizing the pressing need for continuous vigilance and education in the realm of cybersecurity.
Unlocking digital fortresses: WebAuthn & FIDO2
To stay true to our lock analogy, think of the evolution in cybersecurity as a reflection of the world of locksmithing. Just as one would dream of a lock that changes its mechanism every time it’s accessed, rendering conventional keys and techniques obsolete, FIDO2 and WebAuthn have come to life with this exact promise in the digital realm, offering passwordless authentication.
Now, why are FIDO2 and WebAuthn the digital locksmithing wonders of our era? Imagine designing a lock where each key is not just unique but metamorphoses after each use. Even if a crafty thief somehow duplicates your key (much like stealing your static password), it’s rendered useless almost immediately after.
The digital locks of yesterday relied largely on static passwords. But with the advent of FIDO2 and WebAuthn, we’ve taken a leap in authentication sophistication, closely resembling the innovative locksmithing analogy. At their heart, FIDO2 and WebAuthn aim to eliminate phishing, man-in-the-middle and replay attacks by introducing the ability to adopt advanced authentication.
FIDO2: This standard, set by the Fast IDentity Online (FIDO) Alliance, incorporates two main components – the client (typically a web browser) and the authenticator (which can be a security key, a mobile phone or another device). When accessing a service, the service challenges the authenticator. Instead of sending back a static password or key, the authenticator signs the challenge using a private key with a corresponding public key registered with the service. As the private key never departs from the authenticator and each challenge is unique, it can’t be reused even if an attacker intercepts the signed response.
WebAuthn: As part of the FIDO2 project, WebAuthn is a web standard championed by the World Wide Web Consortium (W3C). It provides an API that lets web applications use public key cryptography, also known as passkeys, for user authentication. When a user registers on a site, the WebAuthn API enables the creation of a new public-private key pair on the user’s authenticator. Only the public key is sent to the server, with the private key securely residing on the user’s device. On subsequent logins, the server issues a challenge, signed by the authenticator using the private key, and the resulting signature is cross verified with the stored public key.
The genuine magic of FIDO2 and WebAuthn lies in their compatibility with a vast array of authenticators, from biometrics such as fingerprints or facial recognition to external hardware tokens. This adaptability, coupled with the robust security of public key cryptography, makes them a powerful alternative to traditional username-password systems. While they don’t change the ‘lock mechanism’ literally after each use, they ensure the keys provided are transient and unique, making conventional attacks obsolete.
The WebAuthn & FIDO2 blueprint: A masterclass in locksmithing
FIDO2 and WebAuthn take a page out of this book but with a sprinkle of modern magic. They’ve proven their mettle against phishing because they veer away from the pitfalls of shared secrets. Remember the old-school method of typing in a password? Once it’s out in the wild, it’s fair game. FIDO2 and WebAuthn sidestep this with a cryptographic handshake. Authenticating only on the genuine website brings the website’s origin into the authentication dance. Snag the data mid-move? Well, it won’t waltz to the rhythm of another website, making phishing a dance of futility.
And it doesn’t end there. Picture a challenge-response mechanism like a secret handshake. The server throws a move (challenge), and only the rightful participant (with the correct private key) knows the countermove (response). Any eavesdropper trying to mimic the sequence in another session finds themselves stumbling. It’s akin to a key that dissolves post-use in our lock metaphor.
Digital locksmithing evolved: Twarting the cleverest of bypasses
Extending our lock analogy, the older MFA methods feel like putting a padlock on an already locked door – a bit more secure but hackable by a persistent burglar. FIDO2 and WebAuthn have scrapped the old door and replaced it with one made of an unyielding, ever-changing alloy, turning security from passive to proactive. If traditional MFA stands as the Bramah lock, these modern protocols are the promise of a lock with uncharted intricacies that are part of an advanced authentication approach.
Lastly, complacency isn’t an option. Today’s cyber-world brims with ingenious threats, ever ready to expose a chink in the armor. No system, no matter how advanced, offers an eternal promise of security. But, our best bet is to evolve and adapt, embracing the FIDO2s and WebAuthns of the digital world. After all, the treasures of our digital realm – our identities, stories and secrets – are worth their weight in gold. Guard them with nothing but the best.
Learn how OneLogin by One Identity can help you kickstart your journey towards Advanced Authentication and provide stronger protection for your organization.
