2-Factor Is Great, But Passwords Still Weak Spot

The last few months have seen a plethora of consumer focused websites and services, all adding in two-factor authentication systems, in order to improve security.  The main focus of these additional authentication steps, generally involve a secondary one time password, being sent to the authenticating user, either via a previously registered email address or mobile phone number.  This is moving the authentication process away from something the user knows (username and password) to something the user has - either an email address or mobile phone.  Whilst these additional processes certainly go some way to improve security, and reduce the significance of the account password, it highlights a few interesting issues, mainly that password based authentication is still a weak link.




Consumers Accept New Security

Two factor authentication solutions have been around for a number of years, either in the form of hard tokens (RSA for example) or physical proximity cards for use with a pin to access a controlled physical site.  However, many have been used for general high security enterprise or internal scenarios, such as access to data centers or perhaps dialing into a secure network from an unsecure location.  The interesting aspect today, is that many of these SMS based 'soft' approaches to two factor authentication, are being made available to consumers, accessing standard web applications and sites.  The services those sites offer, whilst containing identity data or personal information, are not particularly life threatening or business critical.  It is interesting to see websites taking a risk with regards to user convenience, in order to implement greater security.  As a security professional, even just from an awareness perspective this a positive move.  Many end users, most of whom are non-technical, now willingly accept these additional steps, in order to reduce the risk associated with their account being hacked.


Password Security is Fundamentally Weak

But why the increased use of two-factor and why are users happy to accept this new level of security?  The main underlying point, is that simple password based authentication, is and never really will be, a totally secure way of protecting resources.  I've blogged on this topic several times in the past 18 months (Passwords And Why They're Going Nowhere, - March 2013,  The Problem With Passwords (again, still) - Oct 2012, The Password Is Dead (long live the password!) - Feb 2012), but the situation still remains: passwords have numerous weaknesses.  Some arise from the end user side (use of non-complex passwords, password sharing between sites, passwords being written down) and some from the custodian side, especially with regards to password storage (use of clear text - yes really!, symmetric encryption as opposed to hashing) and password transit (use of non SSL / HTTPS communication).  The complexity of password hacking techniques is also pretty mature, with automated tooling, pre-compiled hashing tables and harvesting engines, all make application protected by just a username and password, a risky proposition.

Biometrics - Face Recognition

Ok, so everyone knows passwords are weak.  So what are the options?  Due to the rise of mobile technology - both smart phones and tablets - the raw hardware technology available to most end users, is considerably higher than it was say 5 years ago.  Most devices will have high resolution cameras and touch screens that can be used for additional authentication checks, without the need for additional costly hardware.  Facial recognition is available on many of the Android and iOS handsets, when used alongside a secondary PIN.  Most facial recognition systems either use an algorithm to analyze the relative position of things like the nose, eyes and mouth or perhaps analyse a selection of facial images to create a normalized view.  This area is certainly developing, but can perhaps be circumvented by pictorial replays or other savvy attacks.  Google has certainly taken a lead in this area, by recently announcing a patent based on facial authentication.


Biometrics - Voice Recognition

Another area of interest is that of voice or speech based authentication.  On a similar front to facial recognition, this is focusing on the premise, that something you are, is certainly a lot more secure than something you know (password) and even more so than something you own (token).  Vocal recognition requires the 'printing' of the users voice, in order to identify the unique characteristics of the individual.  This is akin to a fingerprint, and when measured accurately using the amplification levels of key frequencies and other pause factors, makes an arguably world unique view of a user's voice, similar to a DNA sample.  At login time, a user is asked to repeat a certain phrase that was used at registration time in order to identify a match.

Any biometric method will raise questions about practicality (accuracy of technology, avoidance of poor type I and type II error rates for example), as well as managing the privacy concerns of holding individual biological data.  The latter part however, could probably be overcome by holding simple hashes of key checking metrics as opposed to raw data.

Either way, passwords may at last be on the long goodbye away from centre stage.

By Simon Moffatt

Passwords And Why They’re Going Nowhere

Passwords have been the bane of security implementers ever since they were introduced, yet still they are present on nearly every app, website and system in use today.  Very few web based subscription sites use anything resembling two-factor authentication, such as one-time-passwords or secure tokens.  Internal systems run by larger organisations implement additional security for things like VPN access and remote working, which generally means a secure token.


Convenience Trumps Security

Restricting access to sensitive information is part of our social make up.  It doesn't really have anything to do with computers.  It just so happens for the last 30 years, they're the medium we use to access and protect that information.  Passwords came before the user identity and were simply a cheap (cost and time) method of preventing access to those without the 'knowledge'.  Auditing and better user management approaches resulted in individual identities, coupled with individual passwords, providing an additional layer of security.  All sounds great.  What's the problem then?  Firstly users aren't really interested in the security aspect.  Firstly, users aren't interested in the implementation of the security aspect.  They want the stuff secure, they don't care how that is done, or perhaps more importantly, don't realise the role they play in the security life cycle.  A user writing down the password on a post-it is a classic complaint of a sysadmin.  But the user is simply focused on convenience and performing their non-security related revenue generating business role at work, or accessing a personal site at home.


Are There Alternatives & Do We Need Them?

The simple answer is yes, there are alternatives and in some circumstances, yes we do need them.  There are certainly aspects of password management that can help with security, if alternatives or additional approaches can't be used or aren't available.  Password storage should go down the 'hash don't encrypt' avenue, with some basic password complexity requirements in place.  Albeit making those requirements too severe often results in the writing down on a post-it issue...

Practical alternatives seem to be few and far between (albeit feel free to correct me on this).  By practical I'm referring to both cost (time and monetary) and usability (good type-I and type-II error rates, convenient).  So biometrics have been around a while.  Stuff like iris and finger print scanning as well as facial recognition.  All three are pretty popular at most large-scale international airports, mainly as the high investment levels can be justified.  But what about things like web applications?  Any use of biometric technology at this level would require quite a bit of outlay for new capture technology and quite possibly introduces privacy issues surrounding how that physical information is stored or processed (albeit hashs of the appropriate data would probably be used).

There are also things like one-time-passwords, especially using mobile phones instead of tokens.  But is the extra effort in deployment and training, enough to warrant the outlay and potential user backlash?  This would clearly boil down to a risk assessment of the information being protected, which the end user could probably not articulate.


Why We Still Use Them...

Passwords aren't going anywhere for a long time.  For several reasons.  Firstly it's cheap.  Secondly it's well known by developers, frameworks, libraries, but most importantly the end user.  Even a total IT avoider, is aware of the concept of a password.  If that awareness changes, there is suddenly an extra barrier-to-entry for your new service, application or website to be successful.  No one wants that.

Thirdly, there are several 'bolt on' approaches to using a username and password combination.  Thinking of things like step-up authentication and knowledge based authentication.  If a site or resource within a site is deemed to require additional security, further measures can be taken that don't necessarily require a brand new approach to authentication, if a certain risk threshold is breached.

As familiarity with password management matures, even the most non-technical of end users, will become used to using passphrases, complex passwords, unique passwords per applications and so on.  As such, developers will become more familiar with password hashing and salting, data splitting and further storage protection.  Whilst all are perhaps sticking plaster approaches, the password will be around for a long time to come.

By Simon Moffatt