){kind=logo}
){kind=logo}
Shayype White Paper
Towards faster, simpler and more secure
authentication
Executive
summary
If we’re unable to prove who we are (or that
we’re authorised to perform an action) then in a world where much of the time
we can’t see or hear those we’re dealing with, we’re always going to have major
problems and the world – whether we’re dealing with people online, over the
phone or face-to-face - will always be fraught with danger.
Did
we make a serious mistake in trying to phase out the concept of the mentally
held secret, at least as far as passwords are concerned, simply because such
fixed strings of characters are no longer secure enough and the bad guys can
too easily capture and re-use them?
This
paper is designed to show how re-inventing the mentally held secret might
allow us, at long last, to address all the problems which now stem from our
inability to securely prove who we are remotely.
Cyber
criminals are winning
We are losing the war against cyber
criminals. Glance at any business magazine, website or blog and you will find a
string of headlines illustrating the rampant destructiveness of cybercrime, and
how it difficult it seems to be to prevent breaches, ransom attacks and others.
In
2022 the UK was dubbed The Fraud Capital of the World with national losses
exceeding £3bn (https://www.dailymail.co.uk/news/article-10955193/Britain-3bn-fraud-capital-world-Probe-reveals-40m-targeted-scammers-2022.html.
Factors like the faster payments system take much of the blame, along with an apparent
unwillingness by police to tackle this type of crime.
According to McAfee, data breaches, online
fraud and other kinds of cyber-crime are costing the world upwards of $1
trillion a year, and CyberCrime News predicts this this will reach $10tn in
just four years’ time.
Allied to crimes such as ransomware (now
becoming “industrialised” and available via the Dark Web as a service on
demand) cybercrime continues to be the number one existential threat to
businesses and organisations across the world.
Where
did it start to go wrong?
Many centuries ago, when most of us lived
in small rural communities, everyone knew who everyone else was, and vice versa.
The need for more sophisticated
authentication only occurred when traders, soldiers and others were required to
travel to parts where they were not known personally. Merchants or officials would
carry letters of introduction, and Roman soldiers apparently pioneered the use
of passwords to prove they were friends, not foes.
Technicians developing main-frame computing
revived the use of passwords (an idea credited to Fernando Corbato – a computer
scientist at the Massachusetts Institute of Technology, in 1960). However, it
wasn’t long before experts began to realise that computers were inherently
insecure and that because they had not been built with security in mind, the
world could have a major problem on its hands with increasing use of computers by
the military, government and security critical users.
In
1972 a team working for the US Air Force (working alongside the National
Security Agency) became extremely concerned. They compiled the 142-page
Anderson Report which they published in October that year. It contained an
appendix detailing most of the penetration techniques still used today by
hackers – written just 51 years ago!
Then
the Internet arrived, bringing with it the need for mass authentication on a
huge scale. Computer experts already using passwords thought the same idea
might continue to work for Joe Public, so passwords were adopted as the
authentication method of choice for most websites and online applications.
The trouble with the huge change in most
people’s needs for remote authentication, and the spread of electronic
communications across the world, was that it exposed the weaknesses of passwords
themselves - the main one being that they could so easily be captured and then
reused. Furthermore, they do not offer any degree of confidence that the
correct user is involved in the transaction. Hackers were quick to realise that
if they could get hold of stolen passwords, they could come and go at will, all
the while appearing to be the authorised users. It was like having a copy of a
door-key, without the owner’s knowledge.
To
make matters worse, no doubt with the best of intentions, we made it easy to
re-set our passwords if we had forgotten them, usually armed with nothing more
secure than our email address. This process has in many cases allowed hackers
to lock out genuine users. (Who signed off on that idea?)
How we tried to solve authentication
problems
To get round the weaknesses of passwords,
two factor authentication (or 2FA) was invented in 1977. The term derives from
the requirement that the user employ two of three “factors”, namely something
you know – e.g. a password; something you have – e.g. a key fob
or RFID key; or something you are – e.g. a fingerprint, face recognition
etc.
This idea worked well for a while. The “key
fob” devices (often referred to as
“tokens”) were created by the million. They gave users (usually via little
electronic displays) one-time passcodes (OTPs) which typically changed every 60
seconds.
The idea of giving users OTPs was initially
thought to be good (it’s suggested in the USAF’s Anderson Report – see above) as
it did away with the vulnerability of fixed passwords. But it soon became
obvious that there were huge down-sides.
A something-you-have system (in other words
a key-fob or other hardware device) gave rise to the idea that “possession
based“ authentication could answer all authentication problems – ignoring the
fact that anything a user has, a hacker can get hold of too!
Also, two-factor solutions tended to be
expensive, meaning that often only a small percentage of an organisation’s
employees might have received them – while the bulk of the workforce continued
to make do with passwords.
Meanwhile
for those “lucky” enough to have been issued with a fob, having to ensure it
was at hand whenever it was necessary to log in, must have increased the
complexity of daily life, and created a huge administration task when batteries
failed or units had been lost or damaged, costing even more when new units had
to be couriered (often to far flung places) before an employee could resume
working.
It wasn’t long before key-fobs began to
give way to cheaper mobile phone-based 2FA. But these new “soft token” solutions
brought their own problems. Some employees objected to using their own phones for
work-related tasks, and mobiles were not allowed in certain environments (e.g. medical,
scientific, defence, “clean” labs), and if a phone’s battery was down, or there
was some other reason a phone could not be used, the employee could not access what
he/she needed to.
Alongside all this, the idea of “two step”
authentication sprang up, where the user would be sent a one-time passcode
(OTP) either by text (SMS) or email. This ignores the fact that hackers have
become adept at taking over victims’ phones using “SIM swapping” and are
equally clever at diverting emails to themselves. Yet despite this, many
companies like Microsoft continue to use this method as an alternative to true
two-factor (see SIM swap scam - Wikipedia
and Ten
hackers arrested for string of SIM-swapping attacks against celebrities |
Europol (europa.eu)).
Biometric solutions (something you are)
began to emerge, hailed by many as the long-awaited panacea to all
authentication problems. After all, those spending billions of dollars on
biometric solutions argued, if it’s your fingerprint/face/voice, it must
be you!
Despite never being 100% certain it’s you
(biometrics are always only a “percentage” match) are such solutions the answer
to all authentication problems? Clearly not in many cases. Biometric data can
be “spoofed” or stolen.
In 2019 the X-Lab group of Chinese “white
hat” researchers took fingerprints from drinking glasses and used them to
overcome security on users’ smart phones (Hackers
Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes (forbes.com.)
Admittedly
biometric technology is improving all the time, but so are the hackers’
abilities – which means this technology will forever be embroiled in an
increasingly high-stakes arms race. And underpinning all this is the dread
knowledge that once an individual’s biometric information has been captured, it can never be changed.
In 2015 there was a massive data breach
involving over 22 million US federal employee records – including the
fingerprints of five million (Office
of Personnel Management data breach - Wikipedia); and in May 2023 there was a further breach involving 237,000
records at the US Dept of Transportation (Data
of 237,000 US government employees breached | Reuters).
There are also fears that biometric
information is so “personal“ that its recording and use will increasingly infringe
civil liberties and data protection regulations. The State of Illinois
passed its Biometric Information Privacy Act (BIPA) in 2008, and this has recently
(May 2022) been used to prevent New York startup Clearview AI (Chicago
Inno - Illinois privacy law thwarts Clearview AI's controversial facial
recognition tool (bizjournals.com)) gathering
images from Facebook and other sources, without gaining the permission of the
individuals concerned.
A
further piece of US draft legislation (the National Biometric Information
Privacy bill) was introduced to the Senate in 2020 and one may only presume it could
surface in the future to further challenge the harvesting of biometric data.
Towards a faster, simpler and more secure
authentication process
Another problem with today’s authentication
technology is that it’s only designed to help individuals log into things like
websites. It is unable to help someone prove who they are anywhere, any time.
Consider the following scenario. You’re
travelling and everything you had on you has been stolen, meaning you have no
driver’s licence, passport, phone, computer, money, cards etc. You need to
phone a call centre at your bank or travel company to get assistance. How do
you prove who you are, without resorting to clunky and often
impossible-to-answer questions about last transactions (not a good idea with
direct debits), pre-set questions and big data (e.g. which refrigerator you
bought ten years ago).
It may soon occur to the unfortunate victim
that all the methods he/she had previously used to prove identity or
authenticate, are now of little use.
We propose that we go back to the beginning
and perform something of a re-set, using a new “core” technology we have been
developing for several years (ShayypeTM) designed to come into play whenever
and wherever a strong “who is” element is required.
Shayype is a
revolutionary new ingredient technology designed to enable users to confirm
their identities in any scenario, often without any extra hardware being
required.
In essence it does what many systems have
tried to do in the past, namely presenting users with OTPs, but in a neater and
more secure way, and without the need for anything to be transmitted.
Codes are “sent” to users concealed in
numbered grids surrounded by what appear to be random digits. However authorised
users can read the “correct” code by using a mentally held pattern (or more
accurately a pre-set Shayype) as a guide.
The Shayype authentication engine
Our aim at this point is to create a
cloud-based (or similar) Shayype authentication engine (SAE) which will enable this
revolutionary new core technology to be applied to a raft of existing products
and services, such as door locks, perimeter security and banking/fintech (think
debit/credit cards with OTPs to back up transactions, or even “chip ‘n’ PIN
online”).
We believe Shayype has the potential to
become the equivalent of “Stripe” (a popular and easily installed global
payments solution) for the authentication world. It will be applicable to any
system where a grid or matrix display can be shown to the user, and will work
via standard browsers (i.e. the Shayype display will appear on the screen of
any connected device).
The security of any Shayype-enhanced system
will remain high because the secret (unlike passwords or personal information) will
never be exposed. Anything that is ever transmitted - for instance an OTP when
logging in to something like a website (in place of a fixed password) - will
simply be a one-time representation of the user’s secret.
In other words, it will be of no use to a
hacker as it will not allow the attacker to reverse-engineer the original
pattern secret, which resides only in the user’s head (and nowhere else).
Best of all the Shayype authentication engine
unlike previous systems, holds no personal data and there is no file of
encrypted passwords for a hacker to steal and re-use or sell on.
The (patent protected) Shayype secret
sharing back end retains only part of the information required to “know” the
user’s Shayype secret, so it can confirm the user has entered the correct
numbers, but never puts the secrecy of the user’s Shayype at risk.
Conclusion
As discussed above, the authentication sector
is in disarray. The tech world has so far failed to produce a single solution
able to securely prove a user’s identity (or authorisation) in all scenarios.
Passwords as a security measure are well
and truly broken, and so-called two factor/two-step authentication as well as
biometrics, all suffer from major flaws and additionally clearly are not
suitable for authentication of users at scale as they all depend on stealable
items.
Shayype has been designed as a new
ingredient, able to function as a standalone technology, or to add an
invaluable second factor to say biometric solutions.
Better still it may also empower
individuals in a way that was simply not possible before, for everything from single
sign-on (SSO) to digital signatures.
In addition, it will facilitate a user
authenticating him/herself either remotely or face-to face, without giving away
any personal details whatsoever (apart from the username - although even this
could be a pseudonym etc., bearing no actual relation to the user). Such a
discreet use could make it ideal for combatting online harms etc.
Ultimately, we have a vision of Shayype technology
being offered by the world’s large public facing websites (Facebook, Twitter,
Google etc) helping to free the world from the burden of having to use, store
and recall passwords (while avoiding the consequences of fixed passwords falling
into the wrong hands!).
We also hope to see Shayype fronting a raft
of new “know your customer” (KYC) systems offered (free or at very low cost) to
end-users by credit rating agencies and other “identity partners” (IdPs) – like
those (such as The Post Office and Digidentity) which used to provide this kind
of service alongside the UK Government’s GOV.UK Verify system.
APPENDICES
Appendix
1. Definition of terms
This is a (non-exhaustive) list of the main
terms used in cyber and identity protection.
Password - usually
a fixed “string“ of characters assumed to be known only to the authorised user.
Unfortunately, as has already been stated above, such character strings can
easily be captured and re-used by hackers: figures show that between 80%-90% of
online break-ins are related to passwords falling into the wrong hands.
Password-less (passwordless) – is a blanket term which has been widely adopted by several
companies whose avowed aim is to replace the password with something better.
However, many such solutions (e.g. Beyond Identity) are based on the user being
in possession of a mobile, and do not answer the question of what happens if
the mobile is lost or even falls into the wrong hands. Several (including BI)
use “private keys” securely stored within the phone. Microsoft offers a range
of “passwordless” options
Pass-keys – pretty
much the same as passwordless – your mobile or computer confirms it’s you via
biometric authentication or an entry PIN. But if you lose your device, you’re
stumped.
Two-factor – designed to solve the vulnerability issue with fixed
passwords by instead giving users a different code every time they need to
perform an action. A two-factor set up generally involves a user choosing two
out of three “factors” – something you know, something you have or
something you are (in other words biometrics such as fingerprints or
facial recognition).
Two-step (or SMS) verification - a close relative of two-factor, where the second “factor” is typically
a mobile assumed to be in the possession of the authorised user, to which a
one-time code is sent by text/SMS. This is widely used and is often confused
with Two-factor; however, it offers far less protection due to the ease with
which hackers can perform “SIM-swap” – whereby they get hold of replacement SIM
cards for a user’s phone numbers, meaning they can re-direct security codes to
themselves. Security experts acknowledge it is far too easy to walk into a
phone shop and claim someone else’s number and create the impression that that
phone has been broken/lost.
Identity and Access Management (IAM) – systems offered by companies such as ForgeRock, OKTA etc
offering authentication as a service (AaaS) based on “knowledge” of the
authorised user via several credentials held in a database. One useful feature
is Single
sign-on (SSO) – see below. Such systems are
really intended for the workplace or remote working; they were never designed
to replace all passwords en masse.
Single
sign-on (SSO)
– is a feature of secure IAM systems, such that once a user has successfully
logged in, he/she can then seamlessly access other (approved) applications (and
then log out at the end of the day, removing the risk of applications being
accidentally left open).
WebAuthn – is
a recently introduced API (application protocol interface) designed to allow
hardware-based “trusted devices” (such as Yubikey hardware or FIDO2 enabled
phones) to be used for logging into websites etc.
Appendix
2. Useful password history references.
Password -
Wikipedia (Password - Wikipedia)
The
Forgotten Origin of Passwords by Yuji Develle (The
Forgotten Origin of Passwords | by Yuji Develle | Wonk Bridge | Medium)
A short
history of the computer password (A
short history of the computer password | WeLiveSecurity)
Author: Jonathan Craymer © Shayype Solutions
Ltd 2025.
Shayype Solutions Ltd. E info@shayype.com W
www.shayype.com. Registered Office Allia
Future Business Centre, London Road, Peterborough PE2 8AN. Company Registration
Number 15025170. Registered in England and Wales.