30 June 2022

What is certificate-based authentication and why should you be interested in it?

Authentication is a process used for identifying a user applying access to a certain system. We use this process every day when we access the bank or read our e-mails and use a certain authentication method for it. It has become a daily routine. We don’t even really consider the security of this process; instead, we trust the system and hope that it will handle everything we need.

The need for secure authentication methods became more crucial during the pandemic when many workers were forced to work from home. It was a period of time that tested the general security of the data accessed by workers. The issue becomes critical when a user is using less secure authentication methods or doesn’t follow the typical modern mantra (but as repetition is the mother of all learning, let’s repeat this again): don’t use the same password for more than one system and change your password at least once every three months.

What are the most common authentication methods?

Hacking methods are becoming ever smarter. Therefore, systems and portals are establishing stricter authentication rules in order to protect themselves and their users. An overview of the three most popular methods is given below.

1. Password-based authentication

The most popular login method has been via a username (usually an e-mail address) and a password, and it will likely remain the most popular one in the near future. Many systems are establishing more complex password rules, making us create longer passwords that also use various symbols. However, it is difficult to remember these passwords. Probably all of us have used the extremely helpful “Forgot password?” aid at least once.

Passwords are also prone to fall victim to phishing (a method to gain access to usernames and passwords via fraud). According to statistics, an average user has 25 accounts, with only 54 percent of them having different passwords. A convenient method is to use password managers that are abundant on the web; however, it should be considered that password managers are at an even greater threat of being attacked. Randomly storing passwords in the cloud should not be trusted too much, either.

2. Multi-factor authentication

Multi-factor authentication uses several methods or devices for identifying a person. For example, after logging in with a password, one must enter an additional code received via text message, or a random number generator program must be used in the phone. This in turn lengthens the process of logging in as several passwords need to be entered. This authentication is used quite frequently on the web. For example, multi-factor authentication is used by Google, Facebook, Binance, etc. Estonian banks use PIN calculators (code cards) as an additional security method.

3. Certification-based authentication

A user identifies themselves by submitting a digital certificate generated after passing the inspection procedure of a passport, ID card or a driving licence. This authentication method is still the most frequently used method in critical systems, for example in the case of state services, banks, and in the financial sector where the security requirements are very high.

On the other hand, using this authentication method is simple for the user because they only need to remember 2 PINs for authentication and signing.

A digital certificate contains the digital identity and public keys that can be used for logging into the system, but also for signing documents whereas this signature is legally equivalent to a handwritten signature. These certificates are only issued by certification authorities.

Systems of this kind can be divided into three groups:

ID card. This is the first authentication method made available in Estonia where the private key is contained in the chip of the ID card and an ID card reader must be used for reading the data. It’s not very convenient for logging into the system for everyday use.

Mobile ID. With this solution, the private key is contained on the SIM of the phone. While a separate reader is required for using an ID card, a mobile phone is all you need to use this solution. A downside of the solution is the inconvenient initiation of the service (a separate agreement must be entered into with a mobile service provider), plus a monthly fee for using the service.

Certificate in a mobile application. This type of authentication replaces the previous two methods thanks to its simplicity, convenience of use, security and scalability, and will rightly become the standard of the segment. The private key is stored on the chip of the phone independently of the services of the mobile service provider. There are currently two solutions using this kind of authentication in Estonia: Smart-ID and the new LeverIDsolution. We wrote in detail about LeverID in our blog last month.

Companies use HSM (Hardware Security Module) in their solutions as well as different methods of encryption: Smart-ID uses RSA while LeverID uses EdDSA which is faster in operation and has shorter keys. We have also previously written about the different encryption methods in our blog and explained why one or another should be preferred.

LeverID also uses a technology with two keys, DualKey (patent pending) for more reliable use of the keys.

Furthermore, LeverID is globally scalable – it can be used in nearly all countries in the world that issue passports.

When is the right time for transformation to certificate-based authentication?

We predict that certificate-based authentication, above all the mobile application version or cloud services, will become dominant on the market in the next few years as one of the most secure methods for identifying the user. Combined with the rapid increase of the use of the web, the risk of losing data and assets increases for both individuals and organisations; therefore, the user must consider their own security when choosing the environment. For companies, it is high time to consider the transformation from password-based authentication to more secure advances in technology.

In the last few years, the European Union has established stricter rules for data retention, such as the GDPR, but also eIDAS, which regulates the identity and transaction market. By introducing eIDAS 2.0, the European Union has declared the ambition of more than 80% of the citizens of the European Union using digital wallets (mobile applications or cloud services that receive and store the mandates of the user). Therefore, the revolution of certificate-based authentication will take place over the next 3-5 years.

Share this article: