Are we all sick of password security lessons yet? After all the discussion of recent security breaches and Mat Honan’s iCloud account hack, it seems like even mainstream media is all over the password security quandary. And a lot of the coverage seems pretty bleak. But it’s not really as bad as all that, and there are actually some really interesting developments in this space that could drastically change authentication as we know it.
No security system, whether it’s related to passwords or malware or data leakage or whatever other hot new piece of technology du jour is, will protect you 100%. More and more, humans are the weak link in the chain. You could build a totally indestructible robot army to protect you, but if you hand over the remote control, that army can be turned right around to destroy you. And people are handing over that remote control way too often.
So, what do we do in light of this imperfect situation? We use layers of security to try to eliminate the number of holes that it’s possible for intruders to squeeze through; each successive layer should help cover up places where other layers are weak. We can also try to make our security just a little bit better than that next guy, because criminals will always go for the biggest return on their effort. We want to make ourselves an unattractive target, comparatively speaking.
Honan’s hack was a vivid example of aligning all sorts of security holes that allowed attackers to crash a Mack Truck into his digital life. There were a couple of the four lessons we covered that would have easily stopped this alignment. The first was setting up two-factor authentication in Google – that was the first key element in the alignment. The second was how much work Honan did for them, by linking so many of his accounts – they didn’t have to align any more holes, because Honan had done it already.
Let’s back up a bit first. There’s commonly considered to be three types of things you can use to verify that you are who you say you are. By far the most common of these things revolves around “what you know” – that is usually something like a username and password that you have chosen to remember. The other two types are about “what you have,” such as a piece of hardware like a phone or a key fob, and “what you are,” such as a fingerprint scan.
One-factor authentication uses only one of these things to authenticate your identity. That doesn’t mean there is only one thing you’re entering to prove your identity. A good example of this is Secret Questions. You can have 10 questions about where you grew up or what your favorite car is or what your mom eats for breakfast, but if you are the one supplying the answer, it’s all just single-factor authentication.
Multi-factor authentication involves two or more of the different types of authentication. Two-factor authentication is already used by a large number of financial institutions outside the US, particularly in Europe. Google and Facebook have both enabled two-factor authentication too. It won’t be long until this is considered very commonplace on any sort of online service that stores your really important data.
The most common type of online two-factor authentication involves sending you a temporary key (to your phone, a dongle, an email address, etc.) that you will input along with your username and password. In the real world, having to input an ATM card and a PIN is another type of two-factor authentication. This is still not bulletproof, and it definitely increases the possibility of people being locked out of their accounts if you lose access to the thing that allows you to receive the temporary key. Some people are already saying that two-factor authentication has passed its prime as we’re already seeing it being breached. So more and more organizations are now looking into three-factor identification.
The third type of authentication is still fairly uncommon in the online world. You will occasionally see a thumbprint scanner on a laptop, but I don’t believe I’ve seen this used by anyone in everyday life. I had a friend who worked for a major hardware manufacturer that issued computers that had keyboards with thumbprint scanners to all its employees, and then they disabled the scanner on all of them. While one might think such a scanner would be fairly simple, apparently the technology ended up being sort of problematic. The value in terms of increasing their security wasn’t equal to the cost of the support calls it generated for them.
If we’re already seeing breaches in the most common two-factor authentication methods and that third factor doesn’t seem to be ready for prime time, what are we supposed to do? There are a lot of people looking into that very question, and they’re coming up with some very interesting and creative answers.
One of those answers is to come up with some other data that we could use to help identify ourselves. Besides what we know, what we have and what we are, we can also provide information about where we are. This could be a WiFi base station, a GPS location, or an IP address, for instance.
This is not terribly specific information in most cases, as very few people use static IP addresses or stand in one spot while they’re using their mobile phones. But there are instances where this could be useful when you create a sort of profile out of users’ behaviors.
Credit card companies do something like this when they look for patterns that indicate fraud: Have you ever had a credit card company call you to verify if it was actually you who made a purchase at Tiffany’s in Arizona to send to Maryland, when you live in rural Iowa? It fails to meet the criteria for where and who you are if you’ve never made purchases in either state or at Tiffany’s. This example relies on a new view of what is considered “who you are.” What makes us unique is not just visible in the physical sense, but also in the behavioral sense.
There has been a lot of research into privacy implications of retaining or mining people’s surfing and searching habits. One such study recently reiterated that our online behaviors are a pretty conclusive way to identify someone. Obviously this would have to be done very cautiously to get a balance of preserving privacy while maintaining accuracy. This may not be what’s traditionally considered “personally identifiable information” – it may not allow a hacker to take over your bank account or a stalker to find where you live, but it can be used to incriminate you in other ways.
All in all, what we’re seeing in all these mainstream articles about the bleakness of password security is not news to those of us in the security industry. Computer security at this point is unbelievably complicated and it’s very hard to boil that down into simple recommendations for average users. But there are some really cool things that are coming down the pipe that could make things much easier and perhaps even more convenient. Until then, we should all be vigilant about what security steps we can take.
