Viewpoints

The Authentication Puzzle

Kevin Townsend, 3 July 2020

Producing a secure authentication process that keeps users happy is easier said than done, but it's necessary in order to keep them safe online.

Controlling access is the basis of all security. The right people should be allowed in, and the wrong people kept out. This is done by confirming – or authenticating – the identity of the person seeking access, and then checking that the person is authorized to enter.

Authentication is normally achieved by the presentation of a User ID (usually the user’s email address) to identify the person, and a secret password known only to that person to confirm the identity.

But there are huge problems with this process. Fundamentally, it does not authenticate the person; if a criminal acquires and uses the person’s User ID and password, the criminal is automatically authorized to gain access. So, strictly speaking, a password does not authenticate the user, it simply authorizes a device regardless of who is using it.

This basic weakness in password-based authentication has become a continuing disaster caused by the sheer volume of stolen IDs and passwords available to criminals. A race is now on to find or develop a more secure and efficient form of user authentication. We’ll look at some of the options, but will start with an examination of how and why passwords have failed us.

Passwords

Too many, too weak

An analysis by LastPass, published in November 2017, “found the average employee using LastPass is managing 191 passwords. Not 10, not 50 – an average of 191.” It is not realistic to expect users to remember this many passwords or to keep their reminders secure; so, they use and reuse simple passwords. Simple passwords that are most easily remembered are the most common and the most easily hacked. Compare Avast’s list of the 10 worst passwords with the NCSC’s list of the most frequently used passwords among breach victims in 2019, as well as a list of the most used passwords in 2019 from SplashData.

Avast’s ‘worst passwords’ list

NCSC’s most breached passwords 2019

SplashData’s most used passwords 2019

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou
  • 123456 (23.2 million users)
  • 123456789 (7.7 million users)
  • qwerty (3.8 million users)
  • password (3.6 million users)
  • 1111111 (3.1 million users)
  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. iloveyou
  9. 111111
  10. 123123

Avast offers advice on how to create a strong password, and also provides a random strong password generator (example: ScuXaiZpdJkjFAb). Even if you do not use the generator, it is worth checking just to see what a strong password looks like – but now imagine having to remember more than 100 of these.

Reusing passwords

Users frequently use the same password across multiple different online accounts to reduce the number they need to remember. This is known as password reuse. It means that if hackers get hold of one password, they have access to all the other accounts that use the same password. A 2018 survey by LastPass found that 59% of users admit to reusing passwords out of fear of forgetting them.

Password theft and use by criminals

A password is only a problem if used to authenticate an unauthorized person; ie, a criminal. This begs the question, how do criminals get the passwords; and the answer is, ‘all too easily’. Millions are stolen from online services and vendors every week – and there are now billions of passwords for sale or free on the dark web. (Check here to see if yours is known to be among them.)

These passwords should, and usually are, stored by vendors in a form of encryption known as ‘hashing’. Hashing produces a unique standard-length garbled output that cannot be reversed back to the original. However, criminals have vast tables of pre-computed hash values and the sources (passwords) that produce them. By comparing the stolen hash value with these tables, they can immediately find the source password; and of course, the common and simple passwords are checked first. Cracked! To the tune of hundreds per second.

The second common method of gathering passwords is via phishing. Here the user is socially engineered into handing over usernames and passwords (or full bank details) to the criminal via a false website. These passwords do not need to be cracked because the user delivers them unencrypted.

Either way, the criminal has access to vast troves of username/password pairings. In many cases – hopefully – the user has been made aware that the password was stolen from XYZ.com and has changed or been forced to change it on the XYZ account. However, numerous studies show that users do not often change that password for every other account where it has been reused.

Here the criminals will use a process known as ‘credential stuffing’. They will go to a target website and use automated scripts to test the log-in process with their store of ID/passwords. They do this over a period of time with varying degrees of sophistication to avoid being detected. Most attempts will fail, and the script moves on to the next one and repeats the process until one succeeds. They succeed frequently enough for it to be a serious problem.

Fixing authentication security

Friction burns

The first thing to understand in any attempt to increase authentication security is the concept of ‘user friction’. ‘Friction’ is used to indicate the degree of effort required by the user. In general, increasing security requires increasing friction. But users do not like authentication friction. Short, simple, re-used passwords are low on friction; unique, long, complicated passwords are high on friction. This is why users repeatedly adopt the former. 

If an online vendor has complex log-in processes he will be offering high security and high friction. The user will likely move on to a different website with low friction, regardless of the reduced security. The anomaly, then, is that security is usually gained at the cost of customers; and the holy grail for all new authentication processes is the combination of high security with low friction. In an online world, companies that succeed here will thrive; those that do not will fail.

Single sign-on

Single sign-on (SSO) is an attempt to reduce user friction by reducing the number of passwords required to just one – the password required to log on to the SSO service itself. Having logged on to the service, it is the SSO service’s responsibility to log the user on to any other websites or services. Although this reduces friction, it is questionable to what extent it increases security. The user still requires a password to access the service. The service itself holds a lot of data from the user – and it becomes a single point of failure and a target for hackers.

There are two basic kinds of SSO: commercial services and free offerings. Commercial services are frequently used by businesses – the reduced user friction increases employee productivity. The free offerings are more commonly used by consumers without always realizing that it is a form of SSO. The ‘log on with Google’ (or Facebook or Twitter) buttons so frequently found and used for convenience are SSO services. Friction is reduced; traditional security is as strong as Google’s or Facebook’s; but the cost is privacy. When you ‘log on with Facebook’, you are actually telling Facebook (a company whose business model is based on selling personal information) where you are going and potentially what you are doing on the internet.

Increasing the number of authentication factors

A password is a single factor form of authentication. ‘Factors’ are different types of secret that are required to be presented before authentication is accepted. A password belongs to the factor known as ‘something you know’. Other factors can be ‘something you own’ (such as a credit or ID card); ‘something you are’ (such as one or more unique biometric features such as a fingerprint); and ‘something you do’ (the behavioral biometrics that include identifiers such as geographical location, typing patterns, time of access and many more).

Every time the authentication requirement is increased with additional required factors (that is, moving from single-factor to multi-factor authentication – MFA) the security of authentication is dramatically improved. This is why cybersecurity pundits always praise and recommend MFA. Unfortunately, as the security increases, so does the user friction – and this is why users are reluctant to adopt MFA.

The authentication problem remains the same: how can you increase security from single-factor passwords without increasing (and ideally, reducing) user friction?

One-time tokens

One-time tokens – so beloved by financial institutions and almost universally loathed by users – are the most common and basic form of MFA. Strictly speaking, it is just two of the same factor: something you know. In its most basic form, when the user logs on to a website, the action triggers a second, one-use only form of additional password (the token) to be send to the user’s mobile phone. This must also be entered into the website before access is granted.

Consider the process. The user attempts to access the website. He or she must then wait for the website to generate the one-time password and send it to the user’s mobile phone.

(This begs the question, what if the user doesn’t have a mobile phone, or it is broken, lost or stolen, or there is no wifi signal in this location, or it is under the control of a hacker who has installed spyware and can steal the token?)

The user must then wait for the phone call, read the token, and physically enter it into the log-on web page without any errors. It is not unusual for a single error or too long a delay to require the whole process be repeated. Understandably, given the option, most users would prefer to avoid this type of MFA, despite the likely increased security, by simply using an alternative service that doesn’t require it.

And notice too, that that this process doesn’t solve the fundamental issue – it is the device being authorized rather than the person being authenticated.

Physical biometrics

Physical biometrics – the ‘something you are’ factor – have long been touted as a secure low-friction alternative to passwords. They certainly solve the fundamental issue, since it is the person being identified as well as the device being authorized. But they have never quite delivered on promise outside of mobile phone user authentication. 

Biometrics are much loved by governments and law enforcement agencies, who use them to authenticate (or more likely, recognize) individuals by fingerprints or facial scans. This introduces one of the biggest concerns over the use of biometrics – the loss of user privacy. 

When agencies use biometric recognition, they compare the scanned sample with massive databases of control scans. It can only work as a form of recognition/authentication if the scanned image is included within the databases. In legal terms, this means that ‘innocent’ scans are included with known criminal scans. It reverses the long-held principle that people are innocent until proven guilty, because it assumes that people are guilty until proven innocent by the biometric database. 

This has led to considerable user distrust of biometrics where concern has trickled down to commercial use of biometrics.

It should also be stated that where large central databases of biometric controls are required, these databases are a prime target for hackers. The problem for users, however, is that if a biometric is stolen, it cannot be changed as easily as a stolen password can be changed.

There are other issues. Personal biometrics can change over time. Fingerprints, for example, can be worn away by manual labor – and even keyboard jockeys such as writers can have poor or unrecognizable fingerprints. On top of this, there is no form of biometric that has not been successfully spoofed by security researchers and/or criminals.

The one area where biometrics have been a reasonable success is in authenticating the owner of a mobile phone before allowing access. The primary reason for this is that the biometric control never leaves the phone. There is no central database of control scans, and there is no privacy issue.

Biometrics have not become the success that was expected. In theory, they should increase security and decrease user friction; but in practice they can rarely do this.

Behavioral biometrics

Behavioral biometrics uses the factor based on what you do rather than what you are or what you know. In general, it still requires the use of a password for initial access. From then on, however, the system monitors how the user interacts with the computer, and how the computer interacts with the website. Examples include the geolocation of the user’s IP address. If, for example, a user logs on in California, and then ten minutes later logs on from China or South America, the system knows there is something wrong.

Other behavioral biometrics can include the time of day (if the user normally logs on during the afternoon, and suddenly logs on in the early hours of the morning, it could again be an indication of something wrong). Behavioral biometrics can also include the user’s keystroke patterns (everyone is subtly different), mouse usage or a combination of the two.

Behavioral biometrics offer many advantages over other forms of authentication, but with a few caveats. Fundamentally, it offers continuous low friction user authentication rather than authentication at logon only. However, it is best suited for business rather than consumer use. The artificial intelligence used to recognize individual user characteristics takes time to learn an identity. This works between an organization and its employees, but is not suited to occasional consumer visits to a website.

In short, behavioral biometrics offer the promise of low friction continuous secure authentication of the person for business, but currently little for consumers.

Mobile phones

Mobile phones have long been viewed as a potential vehicle for user authentication, and the modern mobile phone has everything necessary. Biometric access to the phone ties the device to the user/owner, so any authentication involving the device will automatically identify the user. So far, this is achieved with very low friction. All that remains is the need to authenticate the device with the online service.

There are two new technologies seeking to achieve this: ZenKey (still in beta) from a consortium of U.S. telephone carriers; and Beyond Identity (launched for business on April 14, 2020 with a consumer version due before the end of the year).

ZenKey

ZenKey is a form of SSO, with the mobile phone service provider (AT&T, Sprint, T-Mobile and Verizon) providing the SSO service. There is automatically a trusted relationship between the user and the carrier, and the carrier already holds ample personal information on the user. 

ZenKey provides a secure connection between the mobile phone (which is the user) and the carrier. The carrier redirects traffic to the user’s required destination. If logon is necessary, the carrier logs on on behalf of the user, normally without requiring any additional information or effort from that user.

The biggest weakness in ZenKey is the need to establish relationships with the service providers (banks, retail stores, etcetera) that users wish to access. This will take time. Once achieved, however – and provided the ZenKey app has been installed and activated on the device – users will simply be presented with another button. Next to ‘Log on with Facebook’ there will be a ‘Log on with ZenKey’ button.

This ticks all the boxes – very low friction, increased security, and identification of the person using the device.

Beyond Identity

Beyond Identity is a new firm founded by internet luminaries (Jim Clark of Netscape fame and Tom Jermoluk of @Home Network fame) using well-established technology: X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications).

The system generates a certificate for each phone, and stores it securely within the phone’s secure enclave. The identity of the certificate is communicated to the online service using SSL encryption. The identity of the user has been established by biometric authentication. As a result, there is a rock-solid chain of trust from the website through the device to the actual user – all without a single password being required.

The future

Passwords are so deeply embedded in our approach to security that it will take some time – and radically new technology – to replace them. But their security failings are so severe, they must be replaced. Attempts to improve security, by the additional requirement of a one-time password, increase user friction to such an extent that they will ultimately and inevitably fail.

The SSO approach of using a third party to do the greater part of the work is promising – but it still requires a password to access the SSO service. This still fails the test of identifying the user rather than authorizing the device – and if a criminal gets hold of that password, he or she has access to all the online services accessed by the user.

This can be solved by using the mobile device as a bridge between identifying the user and authenticating the device.

Behavioral biometrics may be the solution for business. It offers low friction (just the initial password or perhaps a biometric device), it identifies the user as well as the device, and can be used for continuous authentication. But it is not currently useful in the consumer market. Here, mobile phone-based authentication has the edge.

It seems likely, then, that until the next radically new technology emerges, behavioral biometrics will grow in usage within commerce, while mobile phone authentication will increase in the consumer market. Both approaches offer increased security with decreased friction while identifying the person behind the device.