Chris Murphy: The Modern State of Digital Authentication

chris murphy, digital authentication, physical presence,

We’ve been lucky to have had the opportunity to speak with some foremost experts in the cybersecurity field about the most pressing issues in the field. Today, we continue to do so with Chris Murphy.

Chris Murphy is the Founder and Chief Scientist at Cyber Safety Harbor, an access management and authentication technology developer with interests in government, defense, and public spheres based out of Florida.

He has studied cybersecurity for more than 20 years. Cyber Safety Harbor’s major focus is the development of Physical Presence technology: a presence-factor authentication tool designed to a create secure nodes of communication and then delete those nodes completely after the secure activity is completed.

We spoke with him about the current state of cybersecurity, authentication technologies, and identity management. Here’s our conversation, edited for length and readability:   

Solutions Review: How do you see the future of authentication in cybersecurity?

Chris Murphy: The future of cybersecurity is bleak if the cyber security [industry] is driven by convenience over security. Security is the process of placing barriers to limit access. Convenient access keeps removing those barriers, moving further in the wrong direction. Add to this the fact that no server will ever be 100% secure; a single breach compromises every key field for users. Once a bio-data key is lost, it is compromised forever. Fingers and faces can’t be changed once a single data breach happens. OPM lost 20 million sets of fingerprints. 20 million people will never have secure use of their fingers for authentication.

Since the inception of secure activity on the Internet, two or more factors have been recommended for security activity. Current two-factor authentication (2FA) solutions are deployed at one-half of the authentication process, but not one has applied 2FA throughout communication. Current solutions [tend to] use only one factor: data gathered in a multi-step process at the endpoint for authentication.

Target released 30 million credit card records. There was no way for them to mitigate the damage of this breach. However, if online banking requires a presence-factor to access secure services, they can use that same process to verify presence for “card not present” transactions: “If I’m not present, it’s not me.”

The process would have no effect on how merchants process online charges; but at the bank, in addition to [the] transferred data, the bank can check for presence prior to approving the online charges. Again, “If I’m not present, it’s not me.”

SR: What do you think of the future of InfoSec? How do you foresee the conflicts of the digital future?

CM: I was called the “Prophet of Doom” by friends for years. Now that the logical progression of the damage created by uncontrolled public access is on display, they no long use that term. Currently the future of cyber security is, at best, frightening. The desire to make access control “friction-less” is simply ignoring the history of data only accessed at the point-of-authentication.

Data has been so thoroughly compromised by previous leaks that there can be no method built on data that can ever be trusted. Therefore, a non-data factor is necessary. Not as simple as it sounds to accomplish, but there can be no security until a second unique factor is present at the point-of-authentication.

Hardening the endpoint is half a solution, yet MFA, 2FA, biometric, geo-fencing, etc., are always gathered at the endpoint. The gathered data is transferred, and the secure service is basing access on data only.

The cybersecurity industry needs to stop thinking about security as a solution to a problem at the endpoint, server or during communication. Fixing problems in each area independently has accomplished nothing. There is always a new exploit in another area left vulnerable by public access.

SR: What problems in the field do you see that are the most grating to you?

CM: Conformity to outdated processes that have a history. In 2005, the first publicized major breach of the modern Internet was AOL. 12-years later there is an identity stolen every 1.5 seconds and a breach every 9 minutes—and still website portals are providing uncontrolled access to the entire world. Data from an unknown entity is used to grant or deny access.

SR: How do you foresee international conflict taking place in the digital world? Is cybersecurity now a part of modern military tactics?

CM: I want to avoid this [topic] much as possible because cyber and politics are one and the same because of the 2016 election.

Government, intelligence, or business—it does not matter because they all have the exact same problem: data-only at the point-of-authentication. As long as one organization has secret information that another organization wants to access, there will be attacks.

We need to stop looking at attacks based on reason. An attack is an attack. They only differ in degree of sophistication and the amount of data lost. Computer science is all based on a series of binary decisions in a decision tree. Each choice moves further down the tree. A website portal is the highest mistake. This decision lead to browser-based access. Browser-based access leads to endpoint and server hardening, yet these two unique aspects of the security process operate independently. To allow for the secure transfer of data, they encrypted and hardened communication.This model forces every attempt to provide 2 or more factors to be converted to data for transfer.

The military truly understands physical security. If you ever have the opportunity to visit the NSA, physical security is on display. No one drives on the post without going through a checkpoint limiting base action to known entities. You go to a secure parking lot. Then you enter the visitor center where your identity is checked again, you are put on a bus and taken to yet another checkpoint … which is repeated in some cases before you are granted access.

Pre-authentication is performed before access is granted, keeping the public out. Secondary credentials are checked at the next checkpoint and then access is granted. Rechecking the credentials throughout the process assures that the same body is present.

Tokens are an integral part of real world security. The military distributes assorted identification cards to access buildings. “The more cards around your neck the more access you have.”

Yet for Internet security, no one wants to be inconvenienced by tokens. History has proven that convenient access is no more valid on the Internet than it is in the real world.

Cyber warfare is not like physical warfare. Cyber warfare has no innocents; only collateral damage. Nations don’t just attack each other. They attack business processes, financial assets, trade secrets, etc. The current cyber war is being conducted using state-of-the-art technology to attack a security model that hasn’t evolved since the introduction of security on the Internet.

Thanks again to Chris Murphy for taking the time to speak with me!

The opinions expressed in this interview are strictly those of Chris Murphy and are not necessarily endorsed by Solutions Review or its affiliates.


Ben Canner