Israeli security start-up Secret Double Octopus has launched its authenticator app for enterprises. It is designed to avoid insecure channels used by many multi-factor authentication solutions. SMS , tokens, push notifications and biometrics have all come under attack from hackers. This has made multi-factor authentication complex and limited its security benefits.
What is Secret Double Octopus doing?
Secret Double Octopus is using the same type of Secret Sharing algorithms as are used for nuclear launch codes. The difference between secret sharing and encryption is how the key is broken up and held. With most encryption solutions the key is stored intact. For redundancy multiple copies of the key are stored. All of these leave it open to attack. Breach one location and you have the key.
Secret Sharing is different. The key is broken into multiple parts and spread around. Parts of the key are stored in different places and they must come together to unlock what is protected. Think of a safety deposit box as a simple example. There are two keys. One held by the bank the other the customer. Both are needed to unlock the box. In the nuclear code example it is similar just more pieces. Multiple keys must be turned by different people at the same time. They have to agree that the order to launch is valid by using different mechanisms. The person ordering the launch must have access to the launch code and then have someone to validate any challenge to that code.
Taking it further and making it keyless
Secret Double Octopus is using that same multiple key parts approach for what it calls a keyless system. In this case it is using a series of algorithms that sit on both sides of a transaction. This could be a login, an online payment or any form of transaction. This means that anyone trying to break the key must have control of both the user device and the server-side authentication.
This approach removes human error such as the user accessing a service through an insecure network. While the hacker might gather enough data to see what they passed, other parts of the algorithm and authentication process would detect a replay. This is about behavioural science that looks at how people interact and uses that as part of the complex algorithms.
By changing this approach it also stops hackers and even governments cracking encryption algorithms. This is a major worry for the vast majority of high security systems in use. As computing power increases, the time required to crack algorithms decreases.
Making encryption harder to crack
IBM recently upped the stakes for cracking complex algorithms with its latest Quantum computing announcement. It is already promoting it as an accelerator to standard computing. However, it expects to see customers building Quantum computers with more power than today’s largest supercomputers within five years. This means that the days of the encryption algorithm are already numbered.
The solution is designed to meet the latest NIST guidelines on additional security. Interestingly, those guidelines look to limit the use of biometrics including voice. They require any biometric to be verified by another authentication approach. This is good news but will challenge those organisations who are only just starting to adopt biometrics as a secure login. Among those are banks who see voice authentication as better than other solutions. The question is whether Secret Double Octopus can gain a foothold into the banking market? Success there would accelerate the company’s growth.
Keyless authentication is a target for many security start-ups. They are looking to take advantage of the complexity of current multi-factor authentication with simpler alternatives. Their challenge is convincing enterprises that this can work for them and scale to meet their needs.