|
AuthEz
|
|
Why AuthEz
|
|
In Action (videos)
|
|
The Story
|
|
Security
|
|
Technical Info
|
|
Downloads
|
|
Status
|
|
|
|
Want a password manager that works everywhere, easily, securely and is free?
The management of credentials (usernames and passwords) is a user problem and we need help.
We have hundreds (if not thousands) of accounts but have no input into how we use and maintain them.
Password managers have existed for decades and are definately better than nothing, but their basic design makes them a bandaid at best.
Authentication needs to be standardized; designed with users in mind while improving security for service providers (web sites,kiosks, etc.).
Lets improve the process for everyone.
AuthEz is taking a different approach.
AuthEz will be the easiest, most secure, personal identity tool available.
Every client able to connect with evey service easily, seamlessly via industry leading security features and implementations.
AuthEz clients log you in directly, via side channel communication, rather than "pasting" your credentials into fields on the screen.
-
You get a secure, efficient way to use and maintain your credentials.
-
Services/sites get improved security via a simple open standards based implementation.
A benefit of this design is that with AuthEz your credentials can be used with kiosks and public workstations just as easily and securely as any desktop workstation.
The possibilites are exciting!
Use AuthEz to scan the login screen's QRCode, select the account and after confirmation start using the application/site/service.
Your personal information is never entered on the workstation/kiosk.
The AuthEz QRCode enables communication between the workstation and your device, supplying the domain and a unique session token.
AuthEz completes the login by sending the credentials you select and the session token to the service via secure web services.
How can I login on my device?
Clicking an AuthEz QRCode on your device (in a browser or application) automatically launches AuthEz, select the account and after confirmation start using the application/site/service.
The same secure process completes the login, we just don't need to scan the QRCode.
Other Features...
-
Simplified account creation and maintenance (including single and mass password updates)
-
Data synchronization (sync credentials across devices)
-
If a security mechanism is possible on a device, we can support it.
Samples include: finger prints, facial recognition, voice recognition, one time passwords (OTP).
Did we mention that AuthEz is free?
Client applications will always be free.
We're hoping that service/provider implementation can also be free for all; funded by donations, sponsors, grants.
We're doing this for the good of the industry as a whole.
We never have (or want) your data.
Transactions are executed directly between your device and the service/site (we never see them).
We won't collect usage statistics.
We won't display advertising.
We're merely providing the client applications and service provider specifications, samples, documentation.
Users need to take control of their digital identities.
Although AuthEz is a fairly simple concept it hasn't been done before.
It's time to make our lives a little easier and more secure.
A move to AuthEz will be a big step in the right direction.
What next...
A lot more information is available on the site and it's growing constantly.
Please check back regularly.
If you have additional questions, or would like to express interest (moral support), send us an email (info[at]authez.org).
Please be patient during our infancy, we'll respond as soon as possible (it could take a couple days).
If you'd like to see AuthEz become a reality, please like AuthEz on Facebook (link/page coming soon).
With a like, we'll be able to keep you updated as important events occur and have numbers that might help convince companies to adopt AuthEz.
Thank you for taking the time to look. We hope you're as excited about AuthEz as we are. We have a long way to go, but it's worth the effort.
If you know of a tool with the features and possibilities of AuthEz, please let us know.
We'll start using it and have a lot more free time.
|
|
Security is not a feature, it's a set/suite of measures that attempt to address as many threats as feasible. In the end, no solution can be 100% secure. If an adversary wants an asset, given enough time and resources they can get it. The goal of security is to make access to assets a bad investment for adversaries.
Authentication and identity management implementations are being designed and built from a provider perspective.
This is a natural evolution but doesn't address the big picture of user issues.
Over the years we've seen the explosion: first an account at work, then a few dial-up services, then a few online accounts and now nearly everyone you deal with wants you to register.
User IDs and passwords (credentials) are common to nearly all accounts, with manual entry being the norm.
Beyond credentials, a finite set of authentication mechanisms are being implemented in varying combinations.
It's the user's responsibility to define, maintain and secure their credentials.
This means that user's either replicate credentials or end up having hundreds, possibly thousands.
Both scenarios have issues.
Reusing credentials is an insecure practice and defining a different credential set for every system/site means that you either keep a list/book or need a password manager of one flavor or another.
Many password managers are available, some are free, some come at a price.
They offer varying levels of security and functionality but all have at least one flaw, they're not truly integrated into the authetication and maintenance process.
They're a layer on top of, or along side the application being authenticated and if you're attempting to authenticate on a public device, they're not much help.
In the end this is a user problem that can only be properly addressed at the system design level, which means the industry needs to help.
Increased user security means increased system security and proprietary systems aren't the answer.
Users only have one, maybe two, account(s) with each provider.
Installing a proprietary app for each provider isn't feasible, we need one solution that works for all users and providers.
The resulting solution needs to be free for users and inexpensive for providers.
AuthEz is being developed to meet this need:
- A suite of client applications, implementing industry leading security concepts and features that facilitate authentication services for all providers.
- A provider specification that defines the contracts and features that are available for secure authentication and account maintenance using industry standard technologies.
So how does AuthEz make a profit?
It doesn't, it will be a non-profit organization with a well defined mission statement.
This is about making users and providers more efficient and secure, not about profits.
We will not have access to your data.
We will not collect any usage data.
We will not include advertising.
AuthEz transactions are executed between the client and service/site (we never see them).
We merely design and facilitate the specification.
Today we're also designing and developing the client applications, but that will hopefully move to OS/hardware manufacturers as AuthEz adoption increases.
The goal is that the minimal operating expenses required to fund AuthEz be covered by sponsors and donations, grants are another possibility.
Given the amount of profits earned by providers via these users/accounts and the amount that increased security could save them, donations should be easy to solicit.
At some point someone needs to bridge the gap, providing this service for the betterment of everyone.
Nothing would make us happier than AuthEz, or some variation, becoming the industry standard. Used by eveyone!
If you like what you've read, please spread the word.
As the specification and adoption begin to take hold we'll begin a social media campaign.
Until then it's up to you. A famous quote that applies... If you build it (right) they will come.
Other services are on the horizon, but they're secondary to the initial adoption of AuthEz specification:
-
Faciliate SMS services for non/lower profit providers that might not be able to afford the required infrastructure.
This is intended to facilitate Multi-Factor Authentication for all providers.
-
Auditing/scanning of provider AuthEz services, facilitating the display of the AuthEz Verified seal, assuring users that the organizations they're dealing with follow secure developement practices.
-
Since the driving force behind AuthEz is personal safety...
Creation and maintenance of a Personal Safety site dedicated to all facets of personal safety, including online security.
|
The videos/animations linked below give examples of what the AuthEz process looks like.
|
AuthEz was born from a desire to improve personal security/safety, not to mention make life a little easier.
After two decades of software development and engineering experience in the healthcare, banking and financial services industries; I took advantage of an opportunity in the systems security field. This change offered extensive educational and research opportunities in many aspects of digital security. Personal security had always been an interest, now I got to dedicate time to it professionally. The resulting knowledge plus a substantial increase in cyber related incidents over the same time reinforced that a better authentication process was needed by all. This defined the need.
AuthEz needed to answer the following questions...
How can we make it nearly seamless for users to authenticate on any platform, using any device, securely at no cost to users?
How can this solution be simply, inexpensively and securely implemented by providers?
So, what are our goals?
-
Improving the security posture of all AuthEz providers and users.
-
Make authentication (and account maintenance) as easy as possible.
Taking advantage of the latest platforms (mobile, desktop, wearables), technologies and standards.
-
Implement industry leading protection of our data.
-
AuthEz must be system agnostic (work everywhere, on everything)
-
If you're going to do it, do it well.
-
It's not about money, it's about improvements for the industry as a whole. This is functionality that we all need.
With these goals in mind, the AuthEz concept started to evolve...
Utilize a new industry specification, implementing QR codes, secure Side-Channel Authentication (SCA) and Two+ Factor Authetication (2FA). Wherever you see an AuthEz QR code either touch/click it (ClickAuth) if it's a device containing your AuthEz data, or scan it (ScanAuth) using the AuthEz app on one of your devices. Then select the account to authenticate (pre-filtered list), confirm success and start using the application. Authentication on public devices is as easy and secure as on your personal devices, your credentials are never entered. OK, almost as easy...you have to launch AuthEz and scan the QR code.
|
Open Source...
The AuthEz specification, samples, documentation will always be available.
A core security concept is that we can't rely on obscuity.
Making AuthEz open source ensures that we don't.
In the end, any logic can be decompiled and inspected by adversaries.
Thinking that techniques won't be discovered isn't viable.
We want the best security and development minds to have access, helping identify weaknesses; making AuthEz as secure as poasoble.
Bug Bounties...
A small portion of funding will be available to facilitate "bug bounties".
Bug bounties are a viable tool for any system wanting to increase its security posture.
Standard Practices...
Have peace of mind knowing that every service/site implementing AuthEz has implemented industry leading stadards based authentication and account maintenance functionality, icluding:
authentication/login, account definition, account maintenance,
Verified Services...
Services implementing AuthEz are required to meet a few crucial security related requirements, i.e.: minimum functionality, communication protocols, credential storage, etc..
Feel safer knowing that these requirements are validated by AuthEz.org on a regular basis.
These service audits and verifications are important to us. We all deserve a safer computing enviroment.
QRCodes...
Although QR codes can be a security threat, it depends on how they're used.
They can house a reasonable amount of data and are easily scanned by nearly everything with a camera today.
This makes them the perfect device interface for AuthEz, transferring data from one device (i,e: display) to another (i,e: phone, tablet, wearable) wirelessly.
On touch devices, a simple tap/click is all it takes to take advantage of AuthEz.
The design of AuthEz takes QR code vulnerabilities out of the equation.
AuthEz Logic...
All AuthEz logic will be Open Source, reviewable by anyone.
Open Source logic helps ensore that AuthEz is as secure as possible.
It also means that any claims we make can be proven true.
AuthEz Data...
AuthEz data is stored on each device using advanced encryption based on keys that ar specific to the device.
Synchronization services help keep your devices in sync.
|
AuthEz Ownership, Contunued Design and Developement
AuthEz was conceived and taken to its current state after hours at home, while working for a financial services company (my employer for 18 years). Due to the intellectual property agreement in affect, I need to get a formal release of AuthEz before going much further. Depending on the result of this process, the AuthEz project will either continue to be led by me under Document Automation Technologies, Inc. or by me (most likely) under my employer.
The Specification
The AuthEz specification is in process, continuing to grow as the prototype and designs develope.
As we have more content and adoption within the industry looks viable, the appropriate standards organization will be determined and contacted.
Draft revisions will be published once a viable initial draft is ready.
Sample Provider Implementations
The initial prototype, being used for the proof-of-concept, is being developed under ASP.Net.
Once resources are available, or the proof-of concept is completed, a Java sample implementation will be coded.
All samples/prototypes will be available for download.
Client Applications
Work was slowed on the Android client prototype while resolving some of the remaining technical and design issues. We've recently resumed development.
Those new features are coming along nicely. It and the ASP.Net sample logic are making up the proof-of-concept/demo.
Until our resource pool expands, the following client implementation order is planned:
1) Android (4.3+) phone and tablet
2) iOS phone and tablet
3) Android wearables
4) iOS werables
5) Windows Phone
6) Windows Desktop*
7) Mac Desktop*
8) Linux Desktop*
* = Possibly a cross-platform client (but probably not)
A goal is that AuthEz client apps be developed and maintained by OS/device manfacturers. Google, Apple and Microsoft are better suited to execute this development/functionality (including the possibility of OS features specifically for AuthEz),
Social Acceptance / Adoption
The first step in the adoption prcoess is to contact security industry resources, introducing AuthEz, looking for endorsements and guidance.
Before this can happen my employer needs to officially sign-off. I'm through the majority of the steps required. The remainder should be mainly clerical. That said, I don't see why AuthEz won't continue either under my direction or that of a successful financial services organization.
Administration
Funding requirements are small considering the impact, but they will exist.
We need to define a strategy.
Grants (state and federal), sponsors, donations and minimal annual provider dues are all in play.
Our initial focus will be grants and sponsors.
Funding will be required for:
Legal, audit, accounting and certification expenses
SMS services for providers with annual sales < $5,000,000
Provider site testing/verifications
Site/infrastructure operations
Resourcing Needs (volunteer):
Graphic Artist
Writer/Editor
Lawyer(s)
iOS Developer(s)
|
|
|