Password-only authentication is not effective. Combine passwords with multifactor authentication, social login, biometrics, or risk-based authentication to better protect users and your reputation.-Password alternatives
The best thing you can say about using a password for authentication is that it’s better than nothing. High-profile breaches like Equifax, however, have exposed millions of passwords and user IDs, calling into question even that faint praise. If consumers don’t assume that at least some of their passwords have been compromised, they only create a dangerous false sense of security.
Companies that still rely on password authentication for access to important customer and corporate data are doing the same. Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk. Even if they avoid a breach, awareness of the shortcomings of password protection is much higher now thanks to Equifax. If that’s how you protect customers’ data, they will think twice about trusting you with it.
Alternatives like two-factor authentication (2FA), multifactor authentication (MFA), behavioral analytics, and biometrics have been available for some time, but adoption rates are low. The growing threat landscape and consumer awareness are lowering barriers to implementing these options — those barriers being, primarily, user resistance, complexity, and ROI.
All these alternatives can be compromised, some more easily than others. “All authentication whether it’s a fingerprint, a face, an iris scan—all these things are broken down into bits and bytes, and they are effectively a shared secret,” says Dustin Heywood, senior managing consultant for IBM’s X-Force Red security testing team. Because these shared secrets are stored digitally like a password, it is theoretically possible to steal them. The difference is that it’s harder to do so.
The goal is to make it so difficult to gain access that most cybercriminals will look elsewhere for easier pickings. Many companies use a combination of authentication methods depending on the risk, user considerations and value of the data being protected to reach a reasonable expectation of security.
The best-laid authentication plans of organizations and consumer-facing websites can go awry due to user resistance or apathy. One of the few positive outcomes of recent high-profile breaches is that consumers are starting to understand the value of strong authentication and seem more willing to accept some inconvenience for it.
While consumers might be more accepting of more complex authentication to protect the health and financial data, not all service providers offer the option. “A lot of banks, because of work that was done quite some time ago, think that having security questions tied to an account is a second factor, which it really isn’t,” says Irwin. “People want an extra layer of protection, and don’t have the option to turn anything on. They have to go to customer service or an account representative or up a chain to even ask for these features.”
The lack of a mechanism to request added security layers leads some companies to believe there is no demand for them. “There’s a lot of work to be done. People know they need something, but they don’t know what the thing is. When they find out what the thing is, sometimes they don’t have the option to turn it on. It’s really an uphill battle,” says Irwin.
Competitive concerns are holding back some companies from implementing a different authentication process that might make their services harder to access. “When it comes to the consumer side, they are so fearful of impacting the user experience,” says Robert Block, senior vice president of identity strategy at intelligence-based authentication provider SecureAuth. “A lot of that is driven by a lack of understanding that there are ways to do it that aren’t very impactful provided the right variables are met.”
“Consumers are becoming smarter. They’re saying, ‘If I do business with you, do you protect my credentials? Do you offer 2FA? If so, how much control over the methods do I have?’ The idea that users are lazy and not wanting their user experience interrupted ever is probably a myth because of the impact of breaches,” says Block.
The challenge of implementing stronger authentication is not with the technology. “It’s around people, process, and culture,” says Block. “Can you get the right people around the table to decide what’s an acceptable risk? The use cases to be supported? How many factors will we support and how do we present those factors to the end user?”
To gain user acceptance, Block stresses the need to be flexible. “Whatever you can tolerate [in terms of risk], try to be as flexible as possible so the end users feel like they are in control.”
It is just too easy for hackers to crack or steal passwords and user IDs to rely on them alone. That’s true even if you follow advice for keeping them safe. “There are a lot of security requirements that make [passwords] weaker, not stronger,” says Irwin. “A lot of people think that if they change passwords frequently, they are contributing to good security behavior. They’re not. A lot of the rules for generating strong passwords are backward. They make it easier for someone to crack a password.”
A lot of the rules for generating strong passwords are backward. They make it easier for someone to crack a password.
The rules Irwin refers to are widely used and based on earlier recommendations from standards organizations such as the National Institute of Standards and Technology (NIST). NIST recently revised those rules to better meet the realities of today’s threat landscape, but most organizations have yet to adopt them.
“The problem with the password isn’t the password itself. It can be hardened in certain respects,” says Heywood. “The crux of the issue is that the password is a shared secret. People reuse passwords between sites, so you’re relying not just on the security of the site you’re working with, but the security of every site you’ve ever used that password. Secrets always need to be rotated.”
Passwords are transformed using a hashing algorithm that is hard to reverse. Heywood says that too many sites are using hashing algorithms that are decades old and known to be compromised. Using today’s high-speed computers, it’s relatively easy for a black hat to reverse password hashes stolen during a breach. “There are now frameworks where we can quickly validate those credentials against other website breaches or even in real time against other websites.”
To minimize the risk of a compromised password, more people are using password vaults that encrypt and randomize passwords with very long strings using pseudo-random generators. “Some pseudo-random generators have been broken due to poor implementations, but they are better than nothing,” says Heywood.
Asking users to provide another piece of identifying information in addition to a password has become the minimum standard for secure authentication. That information is typically something only the user would know where they have to answer a security question like, “What was the name of your first dog.” It might be a verification code sent via SMS to their cell phone or to a token device—something they own.
“Secure” here is a relative term. In the Equifax breach, answers to security questions were also compromised for some users. Some personal information is easily found with a little research, like mother’s maiden name or city where a person was born.
Sending a verification code via SMS isn’t much better. In fact, the new NIST guidelines warn that hackers can intercept those codes. This is partly due to inherent vulnerabilities in SS7 (Signaling System No. 7), a protocol developed in 1975 that is the basis for message exchange over the telephone network. A hacker that exploits the vulnerability has access to all network traffic.
When the only way to know a code is to be holding a device, it makes it harder—almost impossible—to attack at scale
— Harry Sverdlov
SIM card hijacking is also on the increase, says Irwin. “A social engineer will call the AT&T or Verizon customer service line and pretend to be another person to set up a new phone or make changes to an account. They are now in control of device authorization, and they can intercept SMS codes,” she says. Irwin notes that this type of attack targets people whom the hacker knows has something of value like a bitcoin account or high-level access to important data.
Using a token device or a token smartphone app that displays the verification code is safer. “You don’t have to rely on another mechanism to get [the verification code]. Someone would have to get access to the particular token you have to attack the second factor. That’s a lot of work,” says Irwin. “[Tokens] are the strongest and best delivery method for 2FA codes.”
The problem with tokens for consumer applications is that people resist using them because they require a separate device and their own app. “Tokens can require a bit of extra work,” says Irwin. She believes that if consumers better understood the benefits and token app vendors made them more consumer friendly, they would be more widely used. For now, the primary use of tokens to deliver verification codes is in corporate environments.
Whether it is a token or smartphone, requiring ownership of a device for access limits the damage a cybercriminal can do. “When the only way to know a code is to be holding a device, it makes it harder—almost impossible—to attack at scale,” says Harry Sverdlove, co-founder/CTO of Edgewise Networks.
The idea behind MFA is to make hackers work harder to gain access to other people’s accounts. MFA typically requires a user ID and password, something you know, and something you possess. “If multifactor is in play and I have your password, I’m going to find somewhere where the administrator was lazy and didn’t utilize the multifactor,” says Heywood. “MFA isn’t a silver bullet, but it is extremely effective to block the majority of attacks except for a dedicated attacker.”
If multifactor is in play and I have your password, I’m going to find somewhere where the administrator was lazy and didn’t utilize the multifactor.
— Dustin Heywood
MFA is typically a staged process where a user is asked to provide additional identifying factors if a red flag is raised. It is often paired with risk-based authentication (see below). For example, the user attempts to log in from a new device or is trying to access a more protected area. “Routinely looking at my balance, [my bank] isn’t going to care [about asking for a second factor],” says Heywood. “If I try to transfer $10 million to the UK, they’re going to ask for my first-born, a lot of questions, a blood sample, etc.”
From January 1 to October 5 of this year, Block says about 88 percent of authentication attempts that SecureAuth processed went through on the first factor. “Why would you want to burden the user with a second factor every single time?” he says.
“We need to make MFA ubiquitous,” says Sverdlove. The most reliable scheme, he believes, would require something the user knows (password, answers to security questions), something you have (smartphone, token device), your location, and something you are (biometrics, behavioral analytics).
Large social media sites like Google, Facebook, Twitter and Instagram generally have better safeguards for user ID and password data than most other services. They also offer 2FA, at least as an option, and employ analytics to spot possible illegitimate login attempts that might trigger a request for more identifying information.
With social login, websites and mobile applications allow people to sign in using their social media accounts, often as an option for standard password authentication. Users see it more as a convenience than as added security, but websites and web service providers gain a level of secure authentication they might otherwise not have the resources to achieve themselves. Social media sites and identity service providers used for social login provide staff and technology to build strong authentication capabilities with modernized protections around user identities, says Jim Kaskade, CEO of Janrain, whose suite of customer identity and access management solutions include social login. “We stand on the shoulders of giants who have made a tremendous investment in security,” he says.
The big risk with social login is that all sites a user accesses via, say, Google will be compromised if that Google account is compromised. Attackers can take control of a social account in a number of ways: social engineering, creating a fake profile or buying a user ID and password on the dark web. Users can mitigate this risk if they turn on optional authentication features like 2FA, but many don’t.-Password alternatives