Having strong passwords has never been more important as headlines are dominated with reports of password leaks of major consumer accounts, such as LinkedIn and Yahoo. Nearly everyone agrees that passwords are a problem. Recently, Intel Security conducted a survey and found that the average consumer has close to 27 logins. They’re either easy to guess or hard to remember, and many don’t realize how risky it is to use the same password for multiple accounts—as they are frequently captured by hackers in events such as the Yahoo breach (500 million accounts), the LinkedIn password breach (164 million accounts) and the Adobe hack (152 million accounts). Although sites should never retain passwords in plain text, instead storing them only in a hashed form (meaning that they’ve been encoded in a way that allows the right password to be recognized when inputted by the user, but that is supposed to prevent the password from being extracted), and most companies today are diligent in following this advice, hackers have still been able to crack millions of passwords after each of these breaches.
Even the White House agrees that passwords are a problem—a key pillar of the Cybersecurity National Action Plan is the “Lock Down Your Login” initiative, which encourages consumers to activate stronger authentication methods to help protect their accounts.
A solution that’s frequently recommended is “two-factor authentication,” or 2FA. This means requiring something more, in addition to the password, to verify a user’s identity and enable logging in to a site or app—usually a code sent to the user by SMS.
However, according to NIST—the National Institute of Standards and Technology, the U.S. government agency that sets the standards for everything from the electric power grid to atomic clocks to personal health records—SMS codes aren’t safe to use for this purpose. The NIST advised earlier this year that SMS codes are too easy for hackers to intercept or hijack, because they’re sent through a variety of insecure systems, and also because SMS messages are delivered to a SIM card, not a specific phone, and attackers can often persuade telco helpdesk staff to assign a new SIM card to an account.
There are other ways of implementing 2FA that don’t involve SMS messages – primarily by means of an app that users install on their phones. These apps usually generate a continuously-changing sequence of code numbers, and the user has to enter the code along with their password when they are logging in. This is potentially more secure than using SMS, but generally less convenient for the user – the app has to be pre-installed, there are generally some complex setup steps that have to be followed, and each time a code is needed the app has to be opened and the code has to be copied into the login page.
These systems are so inconvenient, in fact, that most sites and apps that have implemented 2FA have found that the proportion of users who voluntarily adopt the 2FA system in order to benefit from the additional security is very small – usually less than two or three percent. Forcing users to use a 2FA system is no better, as they will often just switch to a different service that’s more convenient to use. And there’s no security benefit if people won’t use it.
Finally, possibly the biggest problem with 2FA systems is the fact that they still require a password for each site. Even though 2FA can make passwords less likely to be compromised, it doesn’t make them any easier to remember.
These are serious problems with 2FA – it’s not very secure when implemented with SMS, it’s not very convenient, it still requires users to remember passwords, and users generally don’t like it.
So, what’s the alternative?
Another approach that at first sounds a lot like 2FA, but is actually quite different, is Multi-Factor Authentication (MFA).
As the name suggests, Multi-Factor Authentication systems include multiple authentication factors. These can include:
- Biometric authentication factors, such as fingerprints, facial recognition, and iris scans
- Device authentication factors, such as cryptographic Device ID, which can prove that the login is coming from a device trusted by the user, without any action by the user
- Second Device authentication, which can verify that an additional device trusted by the user is present
- Environmental factors, such as geolocation, wi-fi network ID, and Bluetooth device IDs, which provide additional information without requiring any action by the user
The key difference is that at the core of a modern MFA system is a policy engine that can intelligently combine the available factors, while taking into account the risk level of a specific login, as well as the user’s preferences—so that, for example, a user logging in to a low-risk site like Pinterest might be authenticated using a combination of a Device ID and some environmental factors, without requiring any action at all from the user. In another scenario, a user logging in to a higher-risk site like a bank site or app could be authenticated with a fingerprint or facial recognition (depending on what device she is using, and what sensors it has), automatically combined with a Device ID and further validated with environmental factors, such as a user’s location. MFA systems today usually still include a master password as one available factor, but even that can be eliminated as desktop and mobile platforms provide the capabilities that are needed.
The result of this combination of authentication factors is an intelligent system that can provide any required level of security, while making the user’s experience as convenient as possible – in some cases requiring no action at all on the user’s part, and in other cases selecting an optimal set of factors based on the user’s preferences and the degree of risk.
This means that MFA systems can be more convenient and user-friendly than plain old password-based authentication—unlike 2FA systems which still require the password and then add some additional, inconvenient, steps. And MFA systems can provide much higher levels of security—when advanced biometrics are combined with additional factors, the result is much safer than a 2FA system’s password + code combination.
MFA systems are starting to be available today. With luck, we can look forward to saying goodbye to passwords, and replacing them with a safer, easier alternative.
- Is Two-Factor Authentication (2FA) the Solution to the Password Problem? - December 14, 2016