Monday, October 19, 2020

Authentication Factor 1: Something you know, like a password (Cybersecurity Awareness Month, Day 19)

Image of logging into a phone, promoting the use of better passwords, from Stay Safe Online, Cybersecurity Awareness Month, Lock down your login

Using passwords to protect your personal devices, data, and online accounts is, in my opinion, one of the most annoying aspects of human interaction with digital technology, and it is a consequence of weaknesses in both. Like locks on doors that control access to spaces, passwords that control access to digital devices and services exist because not every human can be trusted to respect boundaries or resist the temptation to mess with and/or appropriate other people's stuff.

In this blog post, number 19 out of the 31 posts that I have pledged to write for Cybersecurity Awareness Month, 2020, I offer some hopefully helpful thoughts and information on passwords. In the next two posts I will talk about related technologies such as security tokens (Day 20), and biometrics (Day 21). Taken together these articles should explain the value of multifactor authentication—commonly abbreviated as MFA—as a way to improve the security of your digital assets. 

The availability and awareness of multifactor authentication has improved in recent years, but not enough. Too many of the digital places and things that you need to secure don't yet offer MFA, which is sometimes offered, or referred to, as 2FA, meaning two-factor authentication. 

Using 2FA/MFA can improve the security of digital devices and accounts, but it can also be confusing, particularly if it is not well-executed. I tend to think that is one of the main reasons why, even when MFA is offered, some people aren't using it (according to a recent study by Ponemon Research Institute, way less than half of individuals (36%) use 2FA to protect their personal accounts, see The 2020 State of Password and Authentication Security Behaviors Report). 

MFA does not necessarily eliminate elements of frustration and complication from cybersecurity, and of course there are ways for savvy criminals to get past MFA; however, despite all that, I recommend using MFA/2FA when it is offered.

What the MFA is authentication?

In the context of computing devices and online services, authentication is typically taken to mean "making sure people are who they say they are." When you try to access an online account, such as a bank account or email service, you normally need to identify yourself. 

In addition to entering a name or other piece of information that identifies you, such as an email address, you are asked to enter a password or passphrase. This is an authentication factor. In this case, it is something that you know which factors into making sure you are the person authorized to access the account. A password can be described as "shared secret" because, under ideal circumstances, it is only known to you and the entity with whom you have the account.

If you are granted access to the account after you have entered the password, then we say the account uses single factor authentication. In other words, the decision to grant access is based solely on you knowing the shared secret. (Some accounts use additional background information, such as your device's network address, to supplement the authentication process.)

Sometimes, after providing your password, an account might ask for more information, for example, "please enter the second and fourth digits of your six digit secret access code." I see this quite often in the UK and it is important to note that is NOT two-factor authentication; that code is another shared secret and so this is two levels of single factor authentication. 

A second authentication factor is when, for example, after you have entered the password, the login process then says something like "please enter the code we just sent to your phone." At first glance that sounds like just another shared secret, and the code itself is a shared secret, but the phone is a second factor, something you have. 

(Whatever that something you have might be, it should have its own authentication. For example, someone stealing your phone should be challenged by one of more authentication factors before they can access any codes that are sent to it.)

I will get deeper into the definition and description of this second authentication factor in the next blog post. There will be a third post that explores a third factor: something you are, such as your fingerprint or your handwritten signature. 

At this point we have established that there are three main factors of authentication, namely something you know, you have, and you are (it is also possible to use your location in determining authentication, although that enabled by something you have). If an authentication process, like logging into you workstation or bank account, requires more than one factor, that is multifactor authentication. 

The factors used can be any combination of two or more. For example: your fingerprint + password is 2FA; an object you have + a password + the sound of your voice is 3FA. In the next two articles I will look at why some of these combinations might be better than others, but it is now time to take a closer look at passwords. 

In cyberspace, passwords act like keys in meatspace, a.k.a. the physical world. Just as some doors into buildings won't open without the right key, some online spaces won't open up to you without the right password, Both physicals key and digital passwords offer the ability to keep things secure, but both technologies have their weaknesses. 

Password advice
You can open some locked doors without the key if you know how to pick locks (a skill that is, perhaps not surprisingly, a hobby for some computer security folks).

You can open some locked doors in cyberspace by guessing the password, a task at which computers themselves can excel, given the right software.

Fortunately, there are ways to make passwords harder to guess, as well as other technologies you can use for added security (such as those encompassed by multifactor authentication). I have posted some widely endorsed password advice on the right.

Note that in the context of passwords for digital devices and accounts the statement "harder to guess" includes both "guessing by humans" and "deduction by software programmed by humans." 

I will talk more about the latter later on. Right now we need to explore what is sometimes called the "soft password problem." This is not a new problem. Here is how I wrote about it thirty years ago:

We have a natural tendency to choose, as passwords and PINs, something that is easy to remember, like the last four digits of our home phone number or digits from our birthday, the characters of our vehicle license plate or street address. The problem is that these things are directly associated with us. Someone pretending to be us will most likely know these words and numbers and thus could guess your password. On the other hand, if the password is determined by someone else—handed to you by your bank for example—and means nothing to us, we might well feel compelled to write it down somewhere, potentially exposing it to other people.

If someone uses a password that is hard to guess because it is entirely random, they may feel the need to write it down because it is hard to remember. If you have ever been locked out of an important program or file because you can't remember the password, you will know that there is a huge incentive to keep a copy of passwords in something other than your brain.

While such commonly used passwords as "123456" or "password" or your home phone number might defeat an inexperienced user who has inadvertently stumbled on a protected file, there is little chance that they will present a problem for the experienced and determined interloper. Indeed, you can easily acquire extensive lists of commonly used passwords. 

Choosing and using hard passwords

Thirty years ago I stated that the ideal password is easy to remember and hard to guess and in many situations that is still true. To help people create such passwords, I suggested the following five guidelines:

  1. There should be no logical connection between the password and the user.
  2. There should be no logical connection between the password and the protected resource (building, system, file, etc.).
  3. If permitted, the password should contain a mixture of characters, both uppercase and lowercase, plus numbers, punctuation, and special symbols. 
  4. The password should be at least eight characters long.
  5. The password should not be a word that is in any dictionary.

These guidelines are still valid, but the fifth one requires clarification because some systems now allow very long passwords, sometimes referred to as passphrases. These can be easier to remember than complex passwords. For example, "I've got the month of May" would take a lot longer for a computer to crack than a very random password like mY3q9EVe!U5YUVdg that is hard to remember (according to this password strength checker). 

In my next article I will look at how automated password guessing and other developments have undermined passwords, and why you should use a second factor—such as something you have—in addition to a password, to better protect your digital assets.

What about password managers?


No comments: