){kind=logo}
){kind=logo}
Shayype White Paper
Towards faster, simpler and more secure
authentication
Executive
summary
If we’re unable to prove who we are (or that
we’re authorised to perform an action) then in a world where much of the time
we cannot see or hear those we’re dealing with, we’re always going to have
major problems.
Whether we’re dealing with people online,
over the phone or face-to-face, both the
digital and the real worlds will always be fraught with danger. We as
individuals will always be “one down” with the playing field sloping the wrong
way! With the bad guys getting it all their own way.
Did
we make a serious mistake in trying to phase out the concept of the mentally
held secret (at least as far as passwords are concerned) simply because such
fixed strings of characters were no longer considered secure enough, as they could
be too easily captured and re-used?
This
paper is designed to show how re-inventing the mentally held secret will
allow us (at long last?) to address all the problems which now stem from our
inability to securely prove who we are remotely- using a new-style
mentally-held secret.
Cyber
criminals are winning
We are losing the war against cyber
criminals. Glance at any business magazine, website or blog and you will find a
string of headlines illustrating the rampant destructiveness of cybercrime, and
how it difficult it seems to be to prevent breaches, ransom attacks and others.
Large car makers and retailers who must have all the security resources they
could possibly need at their disposal, are suffering crippling disruption
In
2022 the UK was dubbed The Fraud Capital of the World with national losses
exceeding £3bn (https://www.dailymail.co.uk/news/article-10955193/Britain-3bn-fraud-capital-world-Probe-reveals-40m-targeted-scammers-2022.html.
Factors like the faster payments system take much of the blame, along with an apparent
unwillingness by police to tackle this type of crime.
According to McAfee, data breaches, online
fraud and other kinds of cyber-crime are costing the world upwards of $1
trillion a year, and CyberCrime News predicts this this will reach $10tn this
year (2025).
Allied to crimes such as ransomware (now
becoming “industrialised” and available via the Dark Web as a service on
demand) as well as “business email compromise” (or BEC) cybercrime continues to
be the number one existential threat to businesses and organisations across the
world.
Where
did it start to go so wrong?
Many centuries ago, when most of us lived
in small rural communities, everyone knew who everyone else was, and vice versa.
The need for more sophisticated
authentication only occurred when traders, soldiers and others were required to
travel to parts where they were not known personally. Merchants or officials would
carry letters of introduction, and Roman soldiers apparently pioneered the use
of passwords to prove they were friends, not foes.
Technicians developing main-frame computing
revived the use of passwords (an idea credited to Fernando Corbato – a computer
scientist at the Massachusetts Institute of Technology, in 1960). However, it
wasn’t long before experts began to realise that computers were inherently insecure
and that because they had not been built with security in mind, the world could
have a major problem on its hands with increasing use of computers by the
military, government and security critical users.
In 1972 a team working for the US Air Force
(working alongside the National Security Agency) became extremely concerned.
They compiled the 142-page Anderson Report which they published in October that
year. It contained an appendix detailing most of the penetration techniques
still used today by hackers – written a mere 53 years ago!
Then the Internet arrived, bringing with it
the need for mass authentication on a massive scale. Computer experts already
using passwords thought the same idea might continue to work for Joe Public, so
passwords were perhaps unwisely adopted as the authentication method of choice
for most websites and online applications.
The trouble with the huge change in most
people’s needs for remote authentication, and the spread of electronic
communications across the world, was that it exposed the weaknesses of passwords
themselves - the main one being that they could so easily be recorded and
reused. Furthermore, they do not offer any degree of confidence that the
correct user is involved in the transaction. Hackers were quick to realise
that if they could get hold of stolen passwords, they could pretend to be the
”real” user, and worse they come and go at will. It was like having a copy of a
door-key, without the owner’s knowledge.
To make matters worse, no doubt with the
best of intentions, we made it easy to re-set our passwords if we had
forgotten them, usually armed with nothing more than our email addresses. This
process has in many cases become a favourite hackers’ tool, allowing them to
lock out genuine users. (Who signed off on that idea?)
How we tried to solve authentication
problems
To get round the weaknesses of passwords, so-called
two factor authentication (2FA) was invented in 1977. The term derives from the
requirement that the user employ two of three “factors”, namely something you know
– e.g. a password; something you have – e.g. a key fob, RFID key or
physical device with a passkey; or something you are – e.g. a
fingerprint, face recognition etc.
This idea worked well for a while. The “key
fob” devices (often referred to as “tokens”) were created by the million. They
gave users (usually via little electronic displays) OTPs which typically changed
every 60 seconds.
The idea of giving users OTPs was initially
thought to be good (it’s suggested in the USAF’s Anderson Report – see above) as
it did away with the vulnerability of fixed passwords. But it soon became
obvious that there were huge down-sides.
A something-you-have system (in other words
a key-fob or other hardware device) gave rise to the idea that “possession-based“
authentication could answer all the problems outlined above – ignoring the fact
that anything a user has, a hacker can steal!
Also, two-factor solutions tended to be
expensive, meaning that often only a small percentage of an organisation’s
employees might have received them, while the bulk of the workforce typically
made do with passwords.
Meanwhile for those “lucky” enough to have
been issued with a fob, having to ensure it was at hand whenever it was
necessary to log in, must have increased the complexity of daily life, and created
a huge administration task when batteries failed or units had been lost or
damaged, costing even more when new units had to be couriered (often to far
flung places) before an employee could resume working.
It wasn’t long before key-fobs began to
give way to cheaper mobile phone-based 2FA. But these new “soft token” solutions
brought their own problems. Some employees objected to using their own phones for
work-related tasks, and mobiles were not allowed in certain environments (e.g. medical,
scientific, defence, “clean” labs), and if a phone’s battery was flat, or there
was some other reason a phone could not be used, the employee could not access what
he/she needed to.
Alongside all this, the idea of “two step verification”
became popular, where the user is sent an OTP by text/SMS or email. This ignored
the fact that hackers had become adept at taking over victims’ phones using
“SIM swapping” and are equally clever at diverting emails to themselves. Yet
despite this, many companies like Microsoft continued to use this method as an
alternative to true two-factor (see SIM swap scam - Wikipedia
and Ten
hackers arrested for string of SIM-swapping attacks against celebrities |
Europol (europa.eu)). It remains, bafflingly, something of an
industry standard.
Biometric solutions (something you are)
began to gain popularity, hailed by many as the long-awaited panacea to all
authentication problems. After all, those spending billions of dollars on
biometric solutions argued, if it’s your fingerprint/face/voice, it must
be you!
But despite never being 100% certain it’s
you (biometrics only offer a “percentage” match) are such solutions the answer
to all authentication problems? Clearly not in many cases, as biometric data
can so easily be “spoofed” or stolen.
In 2019 the X-Lab group of Chinese “white
hat” researchers took fingerprints from drinking glasses and used them to
overcome security on users’ smart phones (Hackers
Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes (forbes.com.)
Admittedly
biometric technology is improving all the time, but so are the hackers’
abilities – which means this technology will forever be embroiled in an
increasingly high-stakes arms race. And underpinning all this is the dread
knowledge that once an individual’s biometric information has been captured, it can never be changed. (Begging the question: how will such
individuals cope thereafter?)
In 2015 there was a massive data breach
involving over 22 million US federal employee records – including the
fingerprints of five million (Office
of Personnel Management data breach - Wikipedia); and in May 2023 there was a further breach involving 237,000
records at the US Dept of Transportation (Data
of 237,000 US government employees breached | Reuters).
There are also fears that biometric
information is so “personal“ that its recording and use will increasingly infringe
civil liberties and data protection regulations. The State of Illinois
passed its Biometric Information Privacy Act (BIPA) in 2008, and this has more recently
(May 2022) been used to prevent New York startup Clearview AI (Chicago
Inno - Illinois privacy law thwarts Clearview AI's controversial facial
recognition tool (bizjournals.com)) gathering
images from Facebook and other sources, without gaining the permission of the
individuals concerned.
A further piece of US draft legislation
(the National Biometric Information Privacy bill) was introduced to the Senate
in 2020 and one may only presume it could surface in the future to further
challenge the harvesting of biometric data.
Towards a faster, simpler and more secure
authentication process
Another problem with today’s authentication
technology is that it’s only designed to help individuals log into things like
websites or networks, and is often mainly “work” related. It is unable to help
someone prove who they are anywhere, any time - and that’s the problem we’re
trying to solve. XXXX
Consider the following scenario. You’re
travelling and everything you had on you has been stolen, meaning you have no
driver’s licence, passport, phone, computer/tablet, money, cards etc. You need
to phone a call centre at your bank or travel company to get assistance. How do
you prove who you are, without resorting to clunky and often
impossible-to-answer questions about last transactions (not a great idea with
direct debits), pre-set questions and big data (e.g. which refrigerator you
bought ten years ago).
It may soon occur to the unfortunate victim
that all the methods he/she had previously used to prove identity or
authenticate, are now of little use.
We propose that we go back to the beginning
and perform something of a re-set, using a new “core” technology we have been
developing for several years (ShayypeTM) designed to come into play whenever
and wherever a strong “who is” element is required, which at the same time is
far more difficult to steal, as it is never exposed in use, and the secret
itself resides in the user’s head.Shayype is a revolutionary new
ingredient technology designed to enable users to confirm their identities in
any scenario, often without any extra hardware being required (but able where
required to work with devices like phones).
In essence it does what many systems have
tried to do in the past, namely presenting users with OTPs, but in a neater and
more secure way, and without the need for anything to be transmitted. Codes are
“sent” to users concealed in numbered grids surrounded by what appear to be
random digits. However authorised users can read the “correct” code by using a
mentally held pattern (or more accurately a pre-set Shayype) as a guide.
The “Stripe” of authentication
Our aim at this point is to create a
cloud-based (or similar) Shayype authentication engine (SAE) which will enable this
revolutionary new core technology to be applied to a raft of existing products
and services, such as door locks, perimeter security and banking/fintech (think
debit/credit cards with OTPs to back up transactions, or even “chip ‘n’ PIN
online”).
We believe Shayype has the potential to
become the equivalent of “Stripe” (a popular and easily installed global
payments solution) for the authentication world. It will be applicable to any
system where a grid or matrix display can be shown to the user and will work
via standard browsers (meaning the Shayype display will appear on the screen of
any connected device).
The security of any Shayype-enhanced system
will be higher than anything which went before, because the secret (unlike
passwords or personal information) will never be exposed. Anything that is ever
transmitted - for instance an OTP when logging in to something like a website
(in place of a fixed password) - will simply be a one-time representation of
the user’s secret.
In other words, it will be of no use to a
hacker as it will not allow reverse-engineering of the original pattern secret,
which resides only in the user’s head (and nowhere else).
Best of all the Shayype authentication engine
unlike previous systems, holds no personal data and there is no file of
encrypted passwords for a hacker to steal and re-use or sell on.
The (patent protected) Shayype secret
sharing back end retains only part of the information required to “know” the
user’s Shayype secret, so it can confirm the user has entered the correct numbers
but never puts the secrecy of the user’s Shayype at risk.
Is it two-factor?
The answer to this question is “yes” – but
in two ways.
On its own Shayype works without any
devices, meaning it could get you out of trouble if you were miles from home
and your phone was lost or broken, so you couldn’t use facial recognition to
prove who you were.
However, many regulations (such as the European
Banking Authority’s “Payment Services Directive 2” [“PSD2”]) require end-users to
have in their possession a second device – satisfying any needs for what the
regulations call two factor - and for this reason we will offer an app. This
will appear on the user’s phone whenever they need to log in or make a
purchase. All the user will need to do to complete a two-factor verification is
to extract a one-time passcode (OTP) from the Shayype numbered grid on the phone,
and then enter it into the main device.
This will however have the huge advantage
over conventional codes-via-SMS in that at no time will the OTP be sent as
plain text (as happens at the moment), and only the right user will be able to
extract the correct digits. So even if a user’s phone account falls into the
wrong hands (by “SIM-swapping” etc) all the attackers will receive is a
meaningless numbered grid.
So yes, Shayype can be take the place of a
second device or use a phone in the mix. Whichever is required. Either way
security and convenience will be increased.
Conclusion
As discussed above, the authentication sector
is in disarray. The tech world has so far failed to produce a single solution
able to securely prove a user’s identity (or authorisation) in all scenarios.
Passwords as a security measure are well
and truly broken, and so-called two factor/two-step authentication as well as
biometrics, all suffer from major flaws and additionally clearly are not
suitable for authentication of users at scale as they all depend on stealable
items.
Shayype has been designed as a new
ingredient, able to function as a standalone technology, or using a separate
phone app, or to add an invaluable second factor to existing technologies like
biometrics.
Better still Shayype may also empower
individuals in a way that was simply not possible before, for everything from single
sign-on (SSO) to digital signatures.
Shayype the future
The online world has often been referred to
as a “Wild West” as anyone can lie about their true identity, as well as their
age and other attributes.
Our aim is to see Shayype allowing users to
authenticate themselves either remotely or face-to face, without (crucially)
having to give away any personal details whatsoever (apart from a username -
although even this could be a pseudonym etc., bearing no actual relation to the
user).
The world would be far safer if everyone,
including private individuals could know who they’re talking to online (or
face-to-face) using IdP accounts. Take for instance serial online sex abuser
and blackmailer Matthew Falder (Matthew Falder - Wikipedia).
Falder lured teenage girls into sending compromising pictures, pretending to be
a woman called Liz, claiming “she” needed pictures for her life-drawing hobby
to aid her nerves. Had those who responded to “Liz” been able to ask for proof
of identity (via an IdP) they would have saved themselves a lot of misery and
terror.
We also believe that the issue of age
verification will benefit from IdPs attesting to users’ real ages - with users
being able to prove ownership of accounts with a Shayype OTP. We have offered
Shayype’s help to the Australian Government trials, believing that IdP accounts
“fronted” by Shayype OTPs could add hugely to the techniques already available.
At present a range of measures are being
tried, ranging from parental approval, to government documents and credit card
ownership, to biometric indicators such as appearance of faces, hands etc. (and
even gestures) - but according to a report just out (Enforcing Australia's
social media ban on kids is possible but contains risks, report says - BBC News)
no single best or sufficiently accurate method has so far emerged. (How for
instance does a photograph distinguish between a teenager who is 15 years and
364 days old, and one who a day later has reached his/her 16th
birthday, and now wants to access social media?)
APPENDICES
Appendix
1. Definition of terms
This is a (non-exhaustive) list of the main
terms used in cyber and identity protection.
Password - usually
a fixed “string“ of characters assumed to be known only to the authorised user.
Unfortunately, as has already been stated above, such character strings can
easily be captured and re-used by hackers: figures show that between 80%-90% of
online break-ins are related to passwords falling into the wrong hands.
Password-less (passwordless) – is a blanket term which has been widely adopted by several
companies whose avowed aim is to replace the password with something better.
However, many such solutions (e.g. Beyond Identity) are based on the user being
in possession of a mobile, and do not answer the question of what happens if
the mobile is lost or even falls into the wrong hands. Several (including BI)
use “private keys” securely stored within the phone. Microsoft offers a range
of “passwordless” options
Passkeys – pretty
much the same as passwordless – your mobile or computer confirms it’s you via
biometric authentication or an entry PIN. But if you lose your device, you’re
stumped.
Two-factor – designed to solve the vulnerability issue with fixed
passwords by instead giving users a different code every time they need to
perform an action. A two-factor set up generally involves a user choosing two
out of three “factors” – something you know, something you have or
something you are (in other words biometrics such as fingerprints or
facial recognition).
Two-step (or SMS) verification - a close relative of two-factor, where the second “factor” is typically
a mobile assumed to be in the possession of the authorised user, to which a
one-time code is sent by text/SMS. This is widely used and is often confused
with two-factor; however, it offers far less protection due to the ease with
which hackers can perform “SIM-swap” operations – whereby they get hold of a replacement
SIM card for a user’s phone number, allowing a hacker to re-direct security
codes to themself. Security experts acknowledge it is far too easy for anyone
to walk into a phone shop and claim someone else’s number is theirs, at the
same time creating the impression that that their phone has been broken/lost.
Identity and Access Management (IAM) – systems offered by companies such as ForgeRock, OKTA etc
offering authentication as a service (AaaS) based on “knowledge” of the
authorised user via several credentials held in a database. One useful feature
is Single
sign-on (SSO) – see below. Such systems are
really intended for the workplace or remote working; they were never designed
to replace all passwords en masse.
Single
sign-on (SSO)
– is a feature of secure IAM systems, such that once a user has successfully
logged in, he/she can then seamlessly access other (approved) applications (and
then log out at the end of the day, removing the risk of applications being
accidentally left open).
WebAuthn – is
a recently introduced API (application protocol interface) designed to allow
hardware-based “trusted devices” (such as Yubikey hardware or FIDO2 enabled
phones) to be used for logging into websites etc.
Appendix
2. Useful password history references.
Password -
Wikipedia (Password - Wikipedia)
The
Forgotten Origin of Passwords by Yuji Develle (The
Forgotten Origin of Passwords | by Yuji Develle | Wonk Bridge | Medium)
A short
history of the computer password (A
short history of the computer password | WeLiveSecurity)
Author: Jonathan Craymer © Shayype Solutions
Ltd 2025.
Shayype Solutions Ltd. E info@shayype.com W
www.shayype.com. Registered Office Allia
Future Business Centre, London Road, Peterborough PE2 8AN. Company Registration
Number 15025170. Registered in England and Wales.