With online services growing at an exponential rate, each requiring us to change our passwords every 6 months, Nicole Lin Managing Director of Synology UK explores how we should approach identity authentication and password management from individual and business perspectives in the long run.
Before 2020, remote working was a perk to employees, even a bandwagon some jumped on as it was how the future was supposed to be like. One pandemic and global lockdown later, lead the entire world to scramble to get to grips with Zoom meetings, cloud storage and VPNs, plus fast-tracking long overdue IT skills updates.
In this global rush to working remote, handling security particularly in the cloud has been the sword on which many an IT admin has fallen. Smart security providers have sensed an opportunity to market sophisticated tools to protect your network infrastructure. And let us be clear; these tools serve a vital purpose. Should we not have advanced security gateways, for example, which inspect every packet entering your network and flagging any potential threat? Of course we should! Should we not use advanced antivirus tools powered by AI and leveraging global databases to stay ahead of hackers and to stay protected from the latest forms of ransomware? Who would object?
Now with that disclaimer in mind, let’s address the elephant in the room namely, these sophisticated tools are a like a castle built on shaky foundations if IT admins leave the humans in the organisation to their own devices when it comes to security. Verizon investigation report on data breaches puts things into perspective: 61% leverage credentials. So where have things gone wrong?
Let us put ourselves in the shoes of a hacker. What will require the least amount of effort to breach an organisation’s security? Rather than spending hours identifying a system’s vulnerability to hit a target with ransomware, “guessing” a password is just as easy and allows entry without creating a fuss, potentially remaining undetected until it’s too late.
It is important to consider all aspects around passwords. We are told, reminded, encouraged to make passwords complicated. “123456”, anything containing your date of birth, names etc… are too obvious and constitute a risk. Increasing the complexity by making it longer, including special characters, is the logical solution. However, unless one has an eidetic memory, the temptation is great to re-use the same password for Gmail, Windows, Salesforce, Twitter and once one account is cracked, your whole privacy is at risk.
And to that the massive growth in computing capabilities means even entry level laptops can now be used to carry brute force attacks.
Making matters worse, password-reset functions can be easily hijacked: “What was your mother maiden name” may have been relevant in 1990, but with most of us posting our lives on social media, this can ever so easily be discovered by unscrupulous hackers.
This shows us one thing: passwords have served us well, but an arms race with hackers is not going to end well for corporations and honest netizens without a change of strategy. Preferably one that does not involve retreating from the web back to a bygone age of letters and carrier pigeons.
Password + 2FA for optimised protections
So, from an individual’s perspective, how can password complexity be enhanced with a growing number to remember as we use ever more online services? Password vaults are a first step, centralising all passwords, as they also allow to generate strong, secure passphrases. But the more cynical of us will simply see this centralisation as a single point of failure: gain access to the vault, and every single account is then compromised.
This needs to be combined with a consistent use of multi-factor authentication methods. The concept is quite simple, with unauthorised logins being prevented by adding an extra layer of checks to ensure you are the right person. If we consider your password as “something you know” then an extra layer will be something you have. This is typically another device such as your phone, to which a one-time passcode is sent, and you need to enter within a short period of time to confirm you are not a hacker who has stolen the original password. Security can be pushed even further with “something you are” in the form a biometric identifier. In everyday life smartphone fingerprint recognition is the most common example.
Moving beyond passwords
With two-factor authentication increasingly common in the tech industry, from Gmail to Amazon accounts, one would think hackers would soon be running out of options. Well humans are remarkably creative, and to impersonate you and “something you own”, you may have heard of “sim-swapping”: Here a hacker fools your mobile provider into switching your SIM card information to a different phone – a process normally reserved for customers who just lost their phones – and the hacker is then able to access your verification code.
However a more fundamental flaw with passwords, even with 2FA methods, is that no matter how vigilant we are as users trust is a fundamental part of the equation. It’s often assumed for example, that the company hosting the website or service will follow strict security practices to keep the stored passwords safe. And no company is safe, particularly as we know big names like Dropbox or Facebook have had customer credentials leaked due to poor practices.
Since passwords will always present a certain level of vulnerability, the logical conclusion is to move beyond them. Which is what came from a meeting between PayPal and Validity Sensors back in 2009 where when discussing the use biometrics for identification of online users, it appeared clear that the first bricks for an industry standard would be needed. This would soon become the FIDO alliance, for Fast IDentity Online.
The concept is simple enough: contrary to passwords where authentication is initiated by the user who sends information to the website’s servers, the FIDO approach is device-centric, with no personal / biometric information ever leaving the user’s device. This is achieved by using a public-key cryptography model. When registering to a website, a public key is provided rather than a password. Later, when the user wishes to log in the website’s server will initiate a challenge to the user’s device, which can only be solved using the private key which was kept on the device. Security is further enhanced by ensuring that the public / private key is issued for the website in question. Importantly, this removes the threat of phishing scams where a fake website, visually similar to a mainstream one, is used to collect a customer’s credentials without their knowledge.
Last thoughts.
The staggering growth seen since last year in the use of malware, up by 358%, as well as ransomware, up by 435% shows how essential it becomes to spread best practices around online security, be it by standardising extra password complexity and 2-factor authentication, to a more fundamental shift in attitudes with the adoption of public-key authentication methods. To accompany this shift in attitudes, websites and platforms, as well as manufacturers of servers, must make these safer authentication methods available.
