In a recent study conducted by Google and The University of California Berkeley, top researchers have found that passwords are no longer a trusted paradigm. The in depth study dives deep into the head of cybersecurity experts to unravel the truth about the current state of how we identify ourselves regularly online.
Like most people, I have used the same email address for 15 years. I used it to sign up for 1000’s of web services and apps over the years, repeatedly using the same passwords over and over again.
Unfortunately, some of those services I used fell victim to data breaches and my personal information – emails, passwords, and phone numbers were sold to hackers and used against me. I trusted those businesses to protect my personal information, they failed, and as result I faced serious losses.
Could this have been avoided with current technology?
The short answer is yes.
Email + password to secure account information has too many flaws and here are the reasons why it is the end of an era.
Email + Password Breakdown
Email is a weak form of identity
Email is much older than ARPANet or the Internet. It was never invented; it evolved from very simple beginnings. A user on the ARPANet could just drop a note in a folder on the mainframe file system and another user could pick up that message and read it. Over the years, email became a [email protected]domain and gave a permanent address to identify a user. Eventually email started using SMTP, where messages could be easily forged to send spam or filled with viruses or worms and spread across networks.
So let’s break this down:
- Email originally wasn’t built with security in mind, it just happened
- Email became synonymous with the identity of the end user account management
- As email developed further, it’s lack of security allowed mass fraud to be perpetrated against email users
- Everyone today currently uses email to register their personal information with services
Passwords are ripe for breaches
The first computer password was developed in 1961 by Fernando Corbato’s team for MIT’s Compatible time sharing system. This was the first attempt at user authentication. The first computer related password security breach happened one year later in 1962 when someone printed out all the passwords on a sheet of paper.
DES standards raised the bar for encryption of passwords, but in 1998 the DES key was broken in 56 hours. We fixed that with stronger encryption algorithms like AES. However, despite using encryption to protect the password, stolen passwords that are decrypted are just as effective at breaking into a person’s account.
Now, let’s break down passwords:
- Data breaches are inevitable
- The encrypted passwords work well for authentication, when they are used by the person that created them
Email + password security takeaway
We use a weak form of identity that can be easily forged and combine it with a method of authentication that can’t be replicated but can be exposed and weaponized against the end user. This is how we secure our lives online every day.Reza Piri – CEO, Ultra Auth
Normally, we go about our lives without challenging these assumptions because over time that is how the world for account security has developed around us. Assuming that our email providers or online businesses are thinking about consumer safety will always put us in a bad place.
Stronger methods of authentication
There have been breakthroughs in account security with things like multi-factor authentication (one time passwords with authenticator apps + SMS + hardware tokens), biometric authentication with mobile devices, anomaly detection (AI for logins), and federated identity. These are all great solutions to help combat the problem of weak email and exposed passwords, but most of them have downsides and weaknesses.
1. MFA – One time passwords, authenticator apps, U2F tokens
Complicating the User Experience
Authy, Duo, and Google Authenticator are all examples of using a one time password app as a 2nd factor for authenticating users. This is a great solution because it actually solves the problem of an exposed password being used against a user. However, this trade off adds more complexity for the user. If you lose your device that holds this token, you are effectively locked out forever. So you actually have to use another factor (3rd factor) to backup this token in case you lose your authenticator app. These backup methods are usually SMS or phone calls with one time passwords to be entered.
The problem with SMS and phone calls as backups for 2FA is that mobile phone companies are proven to be easily hacked through social engineering, making your back up for authenticator apps very weak. The most secure way of backing up an authenticator app is by using another hardware token such as a yubico key as the 3rd factor.
So lets examine a registration / login process with MFA and OTPs:
- Email + password to login and register stays the same (pro)
- Enter your 2nd factor one time password using your mobile app
- Optional (in case of lost authenticator app) – receive the token via SMS or phone call
- Optional (in case of lost authenticator app) – plug in a yubico key into your USB slot
What does this mean? You need to have multiple tokens to authenticate. One is not enough, you need at least 2 tokens (in addition to your password) on you at all times to be secure and not every online service is required to use them. In fact, these methods are effectively barriers for most regular people if you look at the adoption rates and costs to implement. Recently at the enigma conference, a Google engineer stated that less than 10% of active Google account holders user multi-factor authentication and, by default, MFA is merely optional.
2. Anomaly Detection / Machine Learning
This sounds super smart! Machine learning has really taken leaps forward. However, machines that are programmed with the wrong assumptions can be faulty and eventually fooled. Also machine learning needs to train data which takes time and effort to simulate patterns that matches the user behavior.
Machine learning pros and cons:
- Email + password to login and register stays the same (pro)
- ML / AI takes time to train data (so it not immediately effective) (con)
- Poorly programmed ML / AI can be ineffective at stopping attackers, especially when the attackers can study the patterns in responses (con)
- Users give up all personal / private info and waive their rights to privacy so businesses can protect them (con)
Given the improved user experience with AI/ML anomaly detection– it directly solves the problem of account takeover with exposed credentials. However, there are edge cases that AI/ML does not protect for:
- If a hacker has already compromised a users email account or hardware token, they can intercept the warnings being sent to the user or easily impersonate.
In the cases where a user credential (email account or mobile telephone device) is already compromised (password resets / second factor SMS codes), AI/ML is effectively useless.
3. Federated Identity
Expensive User / Access Management
OpenID Connect, Single Sign-On (SSO), and SAML are by far the best solutions to manage authentication for large swaths of users, but they are very expensive to implement. Businesses have complete control over the user administration, password management, and reducing the access footprint for any bad actors.
Federated Identity pros and cons:
- Logins do not change (pro)
- User management is secure (pro)
- Cost prohibitive to protect consumer facing apps (con)
Most startups, app developers, and online businesses would prefer to roll their own authentication before spending thousands of dollars on a monthly basis to implement any one of these solutions. Typically, only large enterprises can afford expensive infrastructure to manage users and employees credentials.
4. Biometric Authentication
Strong, Seamless, Private
Open protocols like the FIDO UAF standard have paved the way for biometric authentication to become ubiquitous around the world. The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
- Logins (email + password or Oauth Provider) need to migrate to use UAF protocol (con)
- Access and authentication is in the hands of the end user, not a vulnerable database (pro)
- User information is kept private and not associated with any credential, obfuscating identity further (pro)
- Cryptographic keys stored on a user’s device is can be lost unless backed up (con/pro)
Where to go from here
There are many options to choose from above and Deauthorized can help you with 2 of them.
Our platform combines a Federated Identity Platform with Biometric Authentication to produce a future-proof security model that eliminates weak email and password, while protecting your user’s privacy. If you’re interested in a demo, please request a demo and schedule a meeting.