Solving the authentication crisis

Every day there is a news article about some website that got hacked, or some photos that got leaked.  The biggest challenge we do face, is with our passwords.

Now let met get the controversial statement out of the way :

A password is a good way to secure any site.

But that’s not the problem.  Our problem is with our password management.  So to really make my statement valid, that passwords are great to secure a site, it does come with some rules, namely :

  • Use a strong password (upper case, lower case, numbers, special characters, no dictionary words, very long, No less than 14 characters, the longer the better)
  • Change the password every 30 days
  • Keep a unique password for every site
  • Never reuse a password
  • Never, EVER share it with ANYONE.

And we’ve lost the plot… To really keep it secure,  how can you expect any mere mortal to remember all of this, let alone the discipline to follow these basic rules?  So like most of the internet users today, you are probably using the same password on all your sites, just because you couldn’t be bothered to remember a separate password for each site, or you just don’t have the patience to use a password manager like LastPass or KeePass.  And let’s be honest, for most of our non-techie friends, using the same password forever is probably the most convenient way to.  And our hacking friends love this, because you’re making it so easy for them to guess the password.  Essentially each website is maintaining its own list of usernames and (hopefully) salted hashed passwords, so if your password gets compromised on one site, the attacker will be able to use your credentials on any number of sites.

Now let’s start looking at some potential solutions.

Central Authentication

Some websites are starting to offer the ability to log on with your Facebook or Google account, and that is a step in the right direction.  This way, if your password gets compromised, you only have to change (and remember) one password.  All the other sites in question will utilize the central authentication mechanism, thus there is no need for the other sites to maintain authentication information.

There are a couple of issues as well.  The first, is do you trust the provider?  Is Google or Facebook really the guard you’d like to put in front of your banking website?  What about privacy?  Do you really want Facebook to know every site you’ve subscribed to, just so they can keep selling your data to someone else?  These are important questions that need to be addressed, and we need to be clear on what these companies are doing to really protect our data.

Hardware tokens

securid

The RSA SecurID token has a dynamic password that changes every 30 seconds.  This is great to ensure an attacker can not guess your password, because it keeps changing.  To use such a solution, your business needs to invest in the RSA hardware & software licenses, not to mention the ongoing management and support of the tokens themselves.  While some sites may offer SecurID to authenticate you with, it is not available for the consumer.

This solution will still require a username and password, in addition to the token.

yubikey

The Yubikey is a USB dongle that provides a one time password whenever you press the button.  It is a lot cheaper than the SecurID, and the integration with a website can be done with relative ease.  You can purchase one of these from Yubico for about $40, but that is no guarantee that the site you want to visit actually supports the Yubikey. Like the SecurID, there is an investment that needs to be made.  As a consumer, you could probably afford the $40 to buy a little device, and there’s a higher chance that you’d actually be able to use it.

Depending on the site’s implementation, you may not require a username and password anymore, as the Yubikey can also provide identification.  The problem now is that if you loose the Yubikey, someone else can easily gain access to your system.

Software tokens

google-authenticator

Like the SecurID, the Google Authenticator app is one example of a token generator that can be installed on a mobile phone.  When you log onto the site, you need to have your phone with you in addition to the password.

The advantage to this solution, is that most people will already have a mobile phone capable of running the Google Authenticator app, so the deployment is relatively easy.

While this doesn’t solve the password issue, it does make it more difficult for an attacker to get into your account.

Password Managers

lastpass

Earlier on I alluded to password managers like LastPass or KeePass.  I like Lastpass, because it stores all my passwords securely in the cloud, so I don’t have to remember to backup my database file anymore.  The good thing about these password managers, is that they are capable of generating a unique password for every site, and type it in for you automatically when you access the site.

This is great!  It solves most of our issues, by having nice long, strong passwords, and a different password for every site.  The downside is it has now shifted the problem from the website operators, back to you.  You are now responsible to manage these credentials, and if you loose it, you’ll be in trouble yet again.

At least Lastpass offers the ability to secure the password vault with either a Yubikey, or Google Authenticator.

Passwordless authentication

Some sites are now starting to offer passwordless authentication, and what this means, is that the site will ask you for your email address or mobile phone number, and then email or SMS you an access code to access the site.  This is going on the premise that the email and SMS channels are reasonably secure, thus removing the risk of someone eavesdropping on it, and obtaining the password.  The technical implementation is really easy for most websites, as most of them already offer some form of a “forgot password” option.

Getting an SMS with the access code is ok, however if you do happen to loose your phone, you’ll need to get the SIM card disabled immediately, because your phone will now become the single weakest link.

Getting an email access code is also ok, however, when you receive a link, you could also be spoofed with a spam message, so be careful to only click the right links.  If email is now the mail source of authentication, then do utilize a good password on your email client, and do enable 2 factor authentication, like Google Authenticator.

Do note however, that if an attacker really wants to attack you, they may just focus on stealing your phone.

Where does that leave me?

As the person at the end of the issue, my advice would be to sign up for a service like LastPass, install the browser plugin, and configure it with a strong password.  Go to each of your websites, and start changing the password, one by one, and have them recorded in LastPass.  It may take a bit of getting used to, but this will greatly improve your security profile, and reduce your risk of attack.

For the web developer, you have a few options.

If you care about security, you should never, ever store passwords in your database in clear text.  It must be hashed.  Even better if you can hash it with a salt (go Google that if you don’t know what it means).  You should also look at using things like Google Authenticator.  There are a ton of resources on the web showing you how to integrate it, and if you really want to, implement the Yubikey solution.  This will make your site a lot more secure, and reduce the likelihood of you being the target (or the potential data leak!) of any future attack.

If you care about convenience  or the user experience, you can look at using technologies like Passwordless, or centralized authentication.  It is trivial to implement in any solution, and will reduce the amount of effort your users will need to go through to remember all these credentials.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *