The world came this close to nuclear annihilation in 1983 – and may well have been saved by Stanislav Petrov, the duty officer at the command center for the Soviet Union's Oko nuclear early-warning system.
Petrov decided not to pass on information of what appeared to be an American nuclear attack that appeared in his early warning system, because it just didn't feel right. There were five missiles supposedly on the way, and the early-warning system was new enough that Petrov didn't trust it he told the BBC in a recent interview.
Relying on a single measure of security – whether it's to launch nuclear missiles or to protect IT infrastructure – is dangerous, which is why the military long ago instituted the ‘two person rule’, to prevent accidental or malicious launch of nuclear weapons. To launch a nuclear missile under a two person scheme, two operators must agree that an order is valid by comparing an authorization code within the order against that in a sealed envelope, kept in a safe that is opened by both. If the code does match, both operators need to insert their keys into a control panel that launches the missiles themselves.
What works for nuclear war prevention and proper business conduct works for cybersecurity, as well. The vast majority of protection systems rely on just passwords. If a hacker manages to get hold of one via a phishing exploit, for example, the rest is history, as recent political events made quite clear.
Better is two-factor authentication, in which a user has to submit a password, as well as respond to a second challenge – like entering a code sent by text message – to conduct sensitive business, such as accessing an online bank account.
Here, security is not guaranteed - there are numerous scenarios and circumstances in which security breaches could compromise such messages. Even users doing everything right in actually using two factors, are being breached. What’s a security minded organization to do?
How about three-factor authentication? On paper, that sounds better, but in reality, users find that level of security onerous; banks that want users to do their banking online are likely to balk at anything beyond two-factor authentication, in order not to overburden customers. In fact, user experience concerns are limiting even the use of two factors to begin with.
Thus, the two-person (factor) rule at military facilities. Yet couldn't a rogue agent get hold of both keys and conduct the launch alone? To prevent that, nuclear facilities go beyond two-factor (or person, in this case) security – and utilize ‘secret sharing’.
Besides requiring two physical keys, facilities require two sets of information to launch missiles – information held by two separate people. Each has only part of the information needed to launch the missiles, so no attack can take place unless the information is converged, and it checks out. Neither knows what portion of the information the other party has, and if it doesn't match the information in the sealed envelope, the missiles can't be launched.
Even if a rogue agent could get the two keys, they would be missing the necessary secret information – and thus could not launch the missiles. Because the full set of information is not known to both parties, rogue agents can ‘hack’ the two-person system all they want, but they still won't be able to take control of the launch system.
A secret sharing scheme for mobile device users would work in a similar manner. Information in the device would be matched with information sent by a remote site. As a user successfully logs in with or without their password – and even passes a second authentication challenge, the device is communicating with the remote site invisibly, using a number of channels to verify identity.
The authentication methods could be automatically and transparently generated from a number of random factors. If all the pieces match, we can be quite certain that the person trying to log onto to the account or perform a transaction is who they claim they are. It's unlikely, and likely impossible, for a hacker to be able to duplicate the full array of information that is being used for authentication.
As experience has taught us, any fixed method of authentication – passwords, text messages, biometrics, etc. - is likely to eventually be compromised, as hackers continually work to figure out ways around authentication schemes.
A secret sharing-based security system that checks for random data in this manner would ensure security, even if a hacker could figure out how to spoof some of these transparent authentication methods, the system could just employ other authentication channels.