The Case for the Secret Sharing Scheme

SDO Marketing Staff | August 16, 2017

After years of being hectored about the importance of having a strong password, it’s time to throw in the towel on trying to convince users to take password security seriously.

What’s the next step forward?

The new paradigm of password-free login, based on ‘secret sharing’; an advanced mathematical algorithm to protect data, is the answer for the emerging challenges of authentication and identity protection.

The Password is Dead 

secret sharing - password graph
Source: Statistica

According to a Trustwave report on the subject, the most common password was – “Password1.” Attempts by companies to promote more secure password usage, such as requiring symbols, numbers, and uppercase letters, have been largely ineffective.

The same Trustwave document reported that almost a third of online data breaches are still due to week passwords. For Point of Sale (PoS) compromises, that figure was 50%.

Why are Passwords the Weak Option?

The fundamental weakness of passwords and most single factor authentication methods, lies in the fact that it is almost utilizes something that the user “knows”. And if the user knows it, a hacker can also gain access to that knowledge.

Attempts to Bolster – SMS, Tokens, and Bio

For this reason most organizations have been moving to two-factor authentication, requiring something that the user “has” such as biometric data, like a thumbprint, or a digital token. Verification codes via SMS has become the prevalent second step method. 

SMS verification has serious drawbacks. Text messages can be stolen or spoofed and therefore don’t have the same level of strength inherent in other authenticators.

Considering that many online services – including Google and Facebook – rely on text as a second authentication method, that could be a problem.

Digital tokens present a logistical problem in that workers are required to carry them on their person in order to access data, and most organizations are hesitant to issue them.

Biometrics are often spoken of as the un-forgerable solution to identity authentication. While biometrics are effective as a second factor of authentication, alone, they are not as secure as they may sound.

The truth?

Biometric characteristics “do not constitute secrets” states a recent report from the National Institute of Standards and Technology.

Biometrics can be “obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns),” according to the agency.

The Protective Edge of Secret Sharing

 The system that we use at Secret Double Octopus utilizes multiple security matches using multiple routes – based on “secret sharing”—an algorithm established in 1979 by cryptographers Adi Shamir and George Blakely.

The secret sharing scheme takes data and uses randomization to compute different numbers (shares) that only together define the secret/data, meaning it’s impossible for hackers to piece together.

The bottom line:

Secret sharing is mathematically unbreakable, and is so strong in its inherent security methodology that it has been used to prevent accidental or malicious launches of nuclear weapons.

The Science Says it All

To get technical – shares travel across different routes, such as VPN, public internet, wi-fi, cellular signals, cloud services and others. Each share does not contain a part of the secret itself but other random data that is useless except when used together.

This makes the hacking skills of a given cybercriminal irrelevant, since each successful data hack will glean only partial, and therefore useless, information.

Ahead of the Hackers

As long as we continue to rely on passwords and keys, hackers will find ways to get a hold of them – they are there for the taking, it’s just a matter of ‘how’ and ‘when’. It is time to move away from traditional means of authentication and towards a key-less environment, such as passwordless MFA in order to outsmart hackers once and for all.