No more messing around with passwords

IMDEA NETWORKS/DICYT Most mobile devices are linked to hundreds of accounts and applications, which imply all kinds of security settings, identities and passwords. The ReCRED project, funded by the European Union, has developed advanced software solutions to address the problem of password overload, enabling us to securely access our accounts without having to remember multiple passwords.

ReCRED leaves the era of passwords behind by developing an advanced, secure and flexible access system. "The adoption of authentication architecture based on the device is key to the elimination of passwords as the main method of authentication on the web," says project coordinator, Christos Xenakis of the University of Piraeus (Greece).

This method improves end-user security on the internet by using the cell phone as an authorization intermediary or proxy. "Authentication and authorization are simplified by the combined use of a short pin, biometric information (for example, voice, fingerprints or signature) and anonymous credentials (for example, a pseudonym)," says Rubén Cuevas, researcher at the University Carlos III of Madrid (UC3M), one of the entities that have contributed to the project.

User identity and account administration

Most Internet users are registered with many online services, such as email providers, social networks, electronic banking or corporate applications. This complicates the task of identifying a shared services domain associated to a single user.

ReCRED provides secure access to these services as well as making it possible to manage accounts from a single device, regardless of the authentication method used on each service. The online identity acquisition module that has been developed horizontally links the identities of the user that are fragmented across the web. The service allows the user to grant explicit authorization to ReCRED to access the information of each online account he owns.

Researchers have also created a physical identity acquisition module for those services that require a higher level of attribute guarantee. This service verifies all identity attributes included in the user's physical identity, such as their passport number or identity document, bank account number or photo.

With all these services ReCRED improves the guarantee of identity and reinforces the link between physical and virtual identities. "End users can now confirm that they own different accounts from different identity providers, link them together and consolidate their identity attributes," says Christos Xenakis.

Security based on data, not passwords

A common assumption that exemplifies everything connected to the management of the identity of users in the network is related to the diversity of services that require end users to log in for access.

Given this general assumption, ReCRED is committed to data-based security. Researchers have achieved that unique user characteristics such as age, nationality or occupation can be used to access data, resources or services. "We prioritize an authentication that requires using only essential data that act as anonymous credentials. It is not necessary to verify the e-mail address, for example, since it would reveal the identity of the user”, explains Antonio Fernández Anta, researcher at IMDEA Networks Institute and UC3M collaborator in ReCRED.

Doubling security by strengthening the mobile device

The device that becomes the main authentication gateway has its own security challenges. This can become a single point of failure in case of loss or damage, or be vulnerable to being hacked after user authentication.

ReCRED (From Real-world Identities to Privacy-preserving and Attribute-based CREDentials for Device-centric Access Control, H2020 Grant Agreement 653417) has avoided these problems by creating additional security measures with blocking and recovery capabilities. In particular, researchers have taken advantage of an entity called Identity Consolidator (IDC) as well as the user’s behavioral and physiological signatures and security protocols based on SIM cards to verify the identity of the user. The IDC allows for the consolidation and management of identities, whilst enabling efficient recovery in the event of failures. "In the event that a user loses their device, they can regain access to services by providing two-factor authentication, such as personal attributes scanned from physical characteristics or biometric behavioral data”, Xenakis says.

Eliminating the need to use different passwords will make internet-based services safer and easier to use. In addition to the end users, other beneficiaries of this new open platform will be telecommunications operators, web hosting companies and manufacturers of mobile devices.