| 1. Authentication: | | 1. Authentication means Identity and Access Management (IAM) that may be called "sign-in". "Sign-in" has replaced obsolete "log-in" facilities that are no longer fit-for-purpose. | | 2. Authentication is associated with a Personal Identifier (PIN) and Private Pass-Phrase. "Pass-Phrase" has replaced obsolete "password" facilities that are no longer fit-for-purpose. | | 3. Authentication is about the management of: | | (1). A unique persons behaviour with the prevention of abnormal behaviour. | | (2). A unique persons computing device hardware such as a smart phone, tablet, laptop or desktop. | | (3). A unique persons computing device software such as installed browser and associated applications. | | (4). A unique persons computing device network such as Internet Service Provider. | | (5). A unique persons geo-location or timed distance to different data centres. | | 4. With more than 20 years experience of managing such authentication factors for many thousands of people, it has proven to be practical to differenciate between a criminal attack and an approved person. Approved people are given pro-active help and assistance, while criminals are silently blocked and blacklisted. | | 5. Each and every time that an approved person signs in they consent to the published terms of use, privacy notice and agreement. |
| 2. Authentication Register: | | 1. When a person self registers, they not only register themselves, but also their computing device hardware, software, network and geo-location. | | 2. When a person self registers they are assigned a permanent: | | (1). Unique Personal Identifier (PIN) that may be used with the access pad. | | (2). Unique Private Pass-Phrase (PPP) that may be used with the sign in form. | | (3). Unique Private Formula (PFO) that may be used with the calculator. | | 3. Anybody in a specific geo-location or network may self-register and they will be granted the right to process their own data and will have no access to any other data. | | 4. When a persons manager identifies that an approved person has self-registered, then the persons manager may grant that approved person rights to view and/or process other data. In compliance with General Data Protection Regulations, people always have the right to access and process their own data. This includes the right to download a copy of their own data and to delete their own data - the right to be forgotten. | | 5. If a person self-registers more than once, then each rgistration is treated as different and not associated with any prior registration. Where a prior registration was assigned extra data access rights, those rights shall not be assigned to any other self registration unless the persons manager purposfully make such changes. Efforts are being taken to minimise the possibility of a person self-registering more than once because it can cause confusion to daily operations. |
| 3. PIN: | | 1. Approved people will normally sign in with their PIN using the access pad. | | 2. The access pad will only be shown to registered people with a known computing device (hardware, software and network) in an approved geo-location. | | 3. Where the computing device has not been registered, the access pad shall not be shown and a PIN cannot be used. | | . | | Internal: | | 1. The access pad is only shown to a known person with their name shown on the access pad page. | | 2. When the PIN is entered, it is checked against that persons security factors, including Time-of-Day, Day-of-Week and expected behaviour. | | 3. If any deviation from what is expected is detected, then the home page is shown. | | 4. When the behaviour is as expected, then the encrypted cookie is written with an assigned expiry date - this may be 32 days. | | 5. The persons signed in session will continue until the cookie expires or the browser is closed. |
| 4. Private Pass-Phrase: | | 1. Approved people may sign in with their name, email address and assigned private Pass-Phrase using the passport form. | | 2. A pass-phrase may be thought of as a secure password that will not have been reused by other applications and will not be guessable using automated dictionary-based tools. Pass-phrases are automatically generated to applicable standards and cannot be known or seen by other people. Pass-Phrases cannot be stolen. | | 3. The sign in form will be shown to people in an approved geo-location with any computing device. | | 4. Where the computing device was not registered, it will be registered after signing in with the Pass-Phrase. The PIN may then be used for any subsequent sign in. | | 5. A persons private pass-phrase is algorithmically computed so it does not need to be stored and cannot be stolen. The pass-phrase is to important to be changed because such a procedure would create a vulnerability that would be hacked by criminals. | | 6. A person who permits this pass-phrase to be saved by their local browser will greatly reduce the level of security offered because every browser store can be unloacked by criminals. Most browsers will copy such critical data to a remote server in another country such as the USA where it will be processed by many agencies. | | 7. A private pass-phrase must never be communicated by email because every email must be copied and processed by many agencies in all parts of the world - email is not suitable to comunicate private, confidential or sensitive information. A one-time pass-phrase may be communicated by email because its life cycle is less than 30 minutes. | | 8. Your private pass-phrase is computed upon demand so it does not need to be stored. Where people are permitted to change their own password, that password must be stored, will not be unique and may be reused with other programs that have vulnerabilities. Even where a password is encrypted, agencies with massive processing power are able to eventually crack the encryption key to discover the password. |
| 5. Private Formula: | | 1. Approved people may sign in with their assigned Private Formula using the calculator. | | 2. The calculator form will be shown to people in an approved geo-location with any computing device. | | 3. Where the computing device was not registered, it will be registered after signing in with the Private Formula. The PIN may then be used for any subsequent sign in. | | 4. A persons Private Formula is algorithmically computed so it does not need to be stored and cannot be stolen. | | 5. The formula has certain security characteristics that make it prefereable where communications are monitored or where people may request their browser to save their password. Each digit and symbol in a formula is a unique transaction that cannot be replicated to make network monitoring a waste of time. |
| 6. On-Time Pass-Phrase (OTPP): | | 1. Approved people who can sign in any any means may add a request to view their own PIN, Private Pass-Phrase and Private Formula. | | 2. Approved people who cannot sign in may request a one-time pass-phrase from their manager or approved person. A person who suspects that their PIN, Private Pass-Phrase or Private Formula has been disclosed to any other person, must request new sign in details with a on-time pass-phrase. | | 3. An approved person may request a one-time pass-phrase for another person with a known unique email address. The one-time pass-phrase shall be directly sent to the persons email address and shall be notified to the Owner and Administrator. The one-time pass-phrase shall expire in 30 minutes so the person must be ready to use the one-time pass-phrase and be assigned a new PIN, Private Pass-Phrase and Private Formula. | | 4. Add a new task with a type as "Document" and a subtype as "Forgotten PW". Select the persons name from the formal drop down list. If the persons name does not exist in the list, then they cannot have a one-time pass-phrase. This procedure will disclose the one-time pass-phrase to the manager who can forward it to the applicable person for use within 30 minutes. | | . | | Internal: | | 1. When a person signs in with a one-time pass-phrase, rather than showing the persons normal welcome page, the personal information page is shown with security appendix. This shows the persons permanent private pass-phrase, PIN and formula that may be used for all subsequence sign-ins. No other person has the right to access this personal security information that is encrypted or algorithmically calculated upon request. |
| 7. Peronally Identifiable Information (PII): | | 1. Conformance with UK laws like GDPR and PECR demand that all Peronally Identifiable Information (PII) is encrypted and replicated. | | 2. Encryption means that stolen data is meaningless and worthless to a criminal. | | 3. Replication means that data cannot be lost because it is phsically stored in a very large number of secure places. | | 4. Every person who views any PII has that event logged as evidence. | | 5. Any person who changes any PII has that event logged as evidence. | | 6. Every approved person has the right to view and change their own data, to download a copy of their own data and to delete their own data - right to be forgotten. | | A person who chooses to delete their own data is signed off and cannot sign in. |
| 8. Session Duration: | | 1. When a person signs in they may stay signed in for many weeks or months as they choose, depending on factors selected by their manager. | | 2. A session ends when a person closes their browser. | | 3. If a computing device is stolen or lost, enter a lost device request and the device session is instantly disabled. |
| 9a. How does it work: | | 1. BIM is a private Business-to-Business application service that is purposefully hidden from search engines and the public. Only informed people will know the private browser address that must be used like a secret password. | | 2. When the home page is shown, the persons computing device and geo-location is silently checked against what has been registered. The content of the home page is totally dependent on what is known about these factors. For example: a compputer that is not in the UK is not permitted to see any BIM information and is not shown any links to any other page. | | 3. When the home page is shown to an approved person in an approved geo-location, known computing device and at a reasonable time-of-day and day-of-week, then the access pad button is shown and the persons PIN may be used. | | 4. When the home page is shown in an approved geo-location and at a reasonable time-of-day and day-of-week, then the sign in button is shown and the persons Pass-Phrase may be used. | | 5. When the home page is shown in an approved geo-location, the calculator is shown and may be used with a persons Private Formula. | | 6. If any error is made with an authentication procedure, it is assumed to be a hacking attack and the only error message is that the home page is shown. Criminals are not iven any advice about what they did wrong and what they may try again. In the event of three consecutive errors, the authentication process is silently blocked so no matter what is entered, the only reply will be the home page. It is understood that criminals can make 20,000 guesses per hour, but after 3 attempts, all guesses are ignored for the rest of the day. |
| 9b. One-Time URL: | | 1. The Internet address used to display each web page has a one-time parameter that is never used again and can never be used again. | | 2. Every ISP, Anti-Virus software and many install application programs steal a copy of each URL and send it to third parties to be processed and sold to others. | | The use of the one-time URL has eliminated this vulnerability that exists in most application services. | | 3. A criminal monitoring tool will record every action taken by a person, but when exactly the same actions are replicated by the criminal, the transactions are rejected as having been used once. | | 4. The effect is to make the use of the PIN or Formula much more secure more of a challenge to criminals. | | 5. The URL includes the name of the bespoke application service owner for command and control (c2) purposes. | | It is not possible for this command and control name to be changed during a session - the browser must be closed and reopened before a different command and control can be used. | | Even to case of the command and control name must be unchanged and as specified - like a password. | | 6. A unique cookie is managed for each command and control name and person. |
| 9c. Multi-Factor: | | 1. Some public web services provide two-factor authentication where an access code is sent to a mobile phone and that access code must be entered into the application. | | 2. With a public web service this may be acceptable, but with a private application service it is not fit-for-purpose. | | People can easilly be tricked into disclosing their sign in details to a fake web site and the use of the access code is used by the criminal to block the real person from their own account. | | 3. Professional authentication uses the integration of multiple factors that may include: | | (1). Restricted geo-location so people in the USA or Russia cannot see the home page. | | (2). Registered computing device hardware so people with unregistered devices cannot sign in as an approved person. | | (3). Registered computing device software so people with different installed software versions cannot sign in as an approved person. | | (4). Registered computing networks so people using a unknown network cannot sign in as an approved person. | | (5). Registered ISP so people using an unknown ISP may be treated as an attack. | | (6). Restricted time-of-day so people trying to sign in at 4am when they normally sign in after 7am may be treated as an attack. | | (7). Restricted time-of-day so people trying to sign in at 8pm when they normally finish work by 6pm may be treated as an attack. | | (8). Restricted day-of-week so people trying to sign in on a Sunday when they normally work Monday to Friday may be treated as an attack. | | 4. Not all factors apply to all people, but a behavioural profile is managed so it is practical to block unusual behaviour. |
| Document Control. | | 1. Document Title: Authentication. | | 2. Description: Authentication, policies and guidelines. | | 3. Keywords: Authentication, policies and guidelines. | | 4. Privacy: Shared with approved people for the benefit of humanity. | | 5. Edition: 1.1. | | 6. Issued: 2 Jan 2018. |
|
|