The last few months have seen a plethora of consumer focused websites and services, all adding in two-factor authentication systems, in order to improve security. The main focus of these additional authentication steps, generally involve a secondary one time password, being sent to the authenticating user, either via a previously registered email address or mobile phone number. This is moving the authentication process away from something the user knows (username and password) to something the user has - either an email address or mobile phone. Whilst these additional processes certainly go some way to improve security, and reduce the significance of the account password, it highlights a few interesting issues, mainly that password based authentication is still a weak link.
Two factor authentication solutions have been around for a number of years, either in the form of hard tokens (RSA for example) or physical proximity cards for use with a pin to access a controlled physical site. However, many have been used for general high security enterprise or internal scenarios, such as access to data centers or perhaps dialing into a secure network from an unsecure location. The interesting aspect today, is that many of these SMS based 'soft' approaches to two factor authentication, are being made available to consumers, accessing standard web applications and sites. The services those sites offer, whilst containing identity data or personal information, are not particularly life threatening or business critical. It is interesting to see websites taking a risk with regards to user convenience, in order to implement greater security. As a security professional, even just from an awareness perspective this a positive move. Many end users, most of whom are non-technical, now willingly accept these additional steps, in order to reduce the risk associated with their account being hacked.
Password Security is Fundamentally Weak
But why the increased use of two-factor and why are users happy to accept this new level of security? The main underlying point, is that simple password based authentication, is and never really will be, a totally secure way of protecting resources. I've blogged on this topic several times in the past 18 months (Passwords And Why They're Going Nowhere, - March 2013, The Problem With Passwords (again, still) - Oct 2012, The Password Is Dead (long live the password!) - Feb 2012), but the situation still remains: passwords have numerous weaknesses. Some arise from the end user side (use of non-complex passwords, password sharing between sites, passwords being written down) and some from the custodian side, especially with regards to password storage (use of clear text - yes really!, symmetric encryption as opposed to hashing) and password transit (use of non SSL / HTTPS communication). The complexity of password hacking techniques is also pretty mature, with automated tooling, pre-compiled hashing tables and harvesting engines, all make application protected by just a username and password, a risky proposition.
Biometrics - Face Recognition
Ok, so everyone knows passwords are weak. So what are the options? Due to the rise of mobile technology - both smart phones and tablets - the raw hardware technology available to most end users, is considerably higher than it was say 5 years ago. Most devices will have high resolution cameras and touch screens that can be used for additional authentication checks, without the need for additional costly hardware. Facial recognition is available on many of the Android and iOS handsets, when used alongside a secondary PIN. Most facial recognition systems either use an algorithm to analyze the relative position of things like the nose, eyes and mouth or perhaps analyse a selection of facial images to create a normalized view. This area is certainly developing, but can perhaps be circumvented by pictorial replays or other savvy attacks. Google has certainly taken a lead in this area, by recently announcing a patent based on facial authentication.
Biometrics - Voice Recognition
Another area of interest is that of voice or speech based authentication. On a similar front to facial recognition, this is focusing on the premise, that something you are, is certainly a lot more secure than something you know (password) and even more so than something you own (token). Vocal recognition requires the 'printing' of the users voice, in order to identify the unique characteristics of the individual. This is akin to a fingerprint, and when measured accurately using the amplification levels of key frequencies and other pause factors, makes an arguably world unique view of a user's voice, similar to a DNA sample. At login time, a user is asked to repeat a certain phrase that was used at registration time in order to identify a match.
Any biometric method will raise questions about practicality (accuracy of technology, avoidance of poor type I and type II error rates for example), as well as managing the privacy concerns of holding individual biological data. The latter part however, could probably be overcome by holding simple hashes of key checking metrics as opposed to raw data.
Either way, passwords may at last be on the long goodbye away from centre stage.