Passwords are Broken: There’s a Better Way to Authenticate Users
Every week, we’re reading stories about compromised corps and websites. For many of us, the worst break-ins are stolen passwords. A change is needed!
Every week it seems, we’re reading stories of companies and websites being compromised and consumer data being stolen. For many of us, the worst break-ins are when passwords are stolen. The LastPass Hack is one of the more recent attacks. In many ways, it’s a form of digital terrorism that is only growing. Two-factor authentication and biometrics are nice patches to the problem, but they ignore the fundamental issues related to login management. We have the tools to solve the problem, but they haven’t been applied properly.
Why We Take Off Our Shoes in the United States but not in Israel
Anyone who’s flown in the United States knows about TSA security. We take off our coats, avoid liquids, and take off our shoes before going through security. We have a no-fly list based on names. These are reactions to specific threats. That’s not the way a country like Israel does security. I haven’t flown El-Al (Israel’s national airline), but friends tell me about the interviews they go through in security. Security officers code threats based on personal characteristics and behaviors.
We’re taking the TSA approach to online accounts, and that’s why we have all the security problems. Two-factor authentication is a start. Yet when we add a second factor to our accounts, we’re lulled into a false sense of security. That second factor protects against someone stealing my password-a specific threat. Could my second factor be compromised? Sure. My phone could be stolen, or malware could compromise my second factor.
The Human Factor: Social Engineering
Even with two-factor approaches, humans still have the ability to override security settings. A few years back, an industrious hacker convinced Apple to reset a writer’s Apple ID. GoDaddy was tricked into turning over a domain name that enabled a Twitter account takeover. My identity was accidentally merged with another Dave Greenbaum due to a human mistake at MetLife. This mistake almost resulted in me canceling the home and auto insurance of the other Dave Greenbaum.
Even if a human doesn’t override a two-factor setting, that second token is just another hurdle for the attacker. It’s a game for a hacker. If I know when you log into your Dropbox that I need an authorization code for, then all I need to do is get that code from you. If I don’t get your text messages directed to me (SIM-hack anyone?), I just need to convince you to release that code to me. This isn’t rocket science. Could I convince you to give that code back? Possibly. We trust our phones more than our computers. That’s why people fall for things like a fake iCloud login message.
Another true story that happened to me twice. My credit card company noticed suspicious activity and called me. Great! That’s a behavioral-based approach I’ll talk about later. However, they asked me to give my full credit card number over the phone with a call I didn’t make. They were shocked I refused to give them the number. A manager told me they rarely get complaints from customers. Most callers just hand over the credit card number. Ouch. That could of been any nefarious person on the other end trying to get my personal data.
Passwords Don’t Protect Us
We have too many passwords in our life in too many places. Medium has already gotten rid of passwords. Most of us know we should have a unique password for every site. That approach is way too much to ask of our puny earthling brains living a full and rich digital life. Password managers (analog or digital) help prevent casual hackers, but not sophisticated attacks. Heck, the hackers don’t even need passwords to access our individual accounts. They just break into the databases that store the information (Sony, Target, Federal Government).
Take a Lesson From the Credit Card Companies
Even though the algorithms might be a little off, credit companies have the right idea. They look at our buying patterns and location to know if it’s you using your card. If you buy gas in Kansas and then buy a suit in London, that’s a problem.
Why can’t we apply this to our online accounts? Some companies offer alerts from foreign IPs (kudos to LastPass for letting users set preferred countries for access). If my phone, computer, tablet, and wrist device are all in Kansas, I should be notified if my account is accessed elsewhere. At the very least, these companies should ask me a few additional questions before they assume I’m who I say I am. This gatekeeping is especially needed for Google, Apple, and Facebook accounts which authenticate to other accounts by OAuth. Google and Facebook give warnings for unusual activity, but they are usually just a warning, and warnings are not protection. My credit card company says no to the transaction until they verify who I am. They just don’t say, “Hey…thought you should know”. My online accounts shouldn’t warn, they should block for unusual activity. The newest twist to credit card security is facial recognition. Sure, someone can take the time to try to duplicate your face, but credit card companies seem to be working harder to protect us.
Our Smart Assistants (and Devices) Are A Better Defense
Siri, Alexa, Cortana, and Google know a ton of stuff about us. They intelligently predict where we’re going, where we’ve been, and what we like. These assistants comb our photos to organize our vacations, remember who our friends are, and even the music we like. It’s creepy on one level but very useful in our daily lives. If your Fitbit data can be used in a court of law, it can also be used to identify you.
When setting up an online account, companies ask dumb challenge questions like the name of your high school sweetheart or your third-grade teacher. Our memories aren’t as rock-solid as a computer. These questions can’t be relied on to verify our identity. I’ve been locked out of accounts before because my favorite restaurant in 2011 isn’t my favorite restaurant today, for example.
Google has taken the first step in this behavioral approach with Smart Lock for Tablets and Chromebooks. If you’re who you say you are, then you probably have your phone near you. Apple really dropped the ball with the iCloud hack, allowing thousands of attempts from the same IP address.
Instead of figuring out which song we want to listen to next, I want these devices to protect my identity in a few ways.
- You know where I am: With my mobile phone’s GPS, it knows my location. It should be able to tell my other devices, “Hey, it’s cool, let him in.” If I’m in Timbuktu roaming, you shouldn’t really trust my password and possibly even my second factor.
- You know what I do: When I log in and with what, it’s time to ask me a few more questions. “I’m sorry, Dave, I can’t do that” should be the answer when I don’t normally ask you to open the pod bay doors.
- You know how to verify me: “My voice is my passport, verify me.” No, anyone can copy that. Instead, ask me questions that are easy for me to answer and remember but hard to find on the Internet. My mother’s maiden name may be easy to find, but where I ate lunch last week with Mom isn’t (look at my calendar). Where I met my high school sweetheart is easy to guess, but which movie I saw last week isn’t easy to find (just check my email receipts).
- You know what I look like: Facebook can recognize me by the back of my head, and Mastercard can detect my face. These are better ways of verifying who I am.
I know very few companies are implementing solutions like this, but that doesn’t mean I can’t lust for them. Before you complain-yes, these can be hacked. The problem for the hackers will know which set of secondary measures an online service is using. It might ask a question one day but take a selfie the next.
Apple is making a big push to protect my privacy, which I appreciate. However, once my Apple ID is logged in, it’s time Siri proactively protects me. Google Now and Cortana can do that as well. Maybe someone is already developing this, and Google is making some strides in this area, but we need this now! Until such time, we need to be a bit more vigilant in protecting our stuff. Look for some ideas on that next week.
Hopefully biometric sensors are not involved in the 2-factor solutions.
Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at