Skip to main content

2-Factor Is Great, But Passwords Still Weak Spot

The last few months have seen a plethora of consumer focused websites and services, all adding in two-factor authentication systems, in order to improve security.  The main focus of these additional authentication steps, generally involve a secondary one time password, being sent to the authenticating user, either via a previously registered email address or mobile phone number.  This is moving the authentication process away from something the user knows (username and password) to something the user has - either an email address or mobile phone.  Whilst these additional processes certainly go some way to improve security, and reduce the significance of the account password, it highlights a few interesting issues, mainly that password based authentication is still a weak link.




Consumers Accept New Security

Two factor authentication solutions have been around for a number of years, either in the form of hard tokens (RSA for example) or physical proximity cards for use with a pin to access a controlled physical site.  However, many have been used for general high security enterprise or internal scenarios, such as access to data centers or perhaps dialing into a secure network from an unsecure location.  The interesting aspect today, is that many of these SMS based 'soft' approaches to two factor authentication, are being made available to consumers, accessing standard web applications and sites.  The services those sites offer, whilst containing identity data or personal information, are not particularly life threatening or business critical.  It is interesting to see websites taking a risk with regards to user convenience, in order to implement greater security.  As a security professional, even just from an awareness perspective this a positive move.  Many end users, most of whom are non-technical, now willingly accept these additional steps, in order to reduce the risk associated with their account being hacked.


Password Security is Fundamentally Weak

But why the increased use of two-factor and why are users happy to accept this new level of security?  The main underlying point, is that simple password based authentication, is and never really will be, a totally secure way of protecting resources.  I've blogged on this topic several times in the past 18 months (Passwords And Why They're Going Nowhere, - March 2013,  The Problem With Passwords (again, still) - Oct 2012, The Password Is Dead (long live the password!) - Feb 2012), but the situation still remains: passwords have numerous weaknesses.  Some arise from the end user side (use of non-complex passwords, password sharing between sites, passwords being written down) and some from the custodian side, especially with regards to password storage (use of clear text - yes really!, symmetric encryption as opposed to hashing) and password transit (use of non SSL / HTTPS communication).  The complexity of password hacking techniques is also pretty mature, with automated tooling, pre-compiled hashing tables and harvesting engines, all make application protected by just a username and password, a risky proposition.

Biometrics - Face Recognition

Ok, so everyone knows passwords are weak.  So what are the options?  Due to the rise of mobile technology - both smart phones and tablets - the raw hardware technology available to most end users, is considerably higher than it was say 5 years ago.  Most devices will have high resolution cameras and touch screens that can be used for additional authentication checks, without the need for additional costly hardware.  Facial recognition is available on many of the Android and iOS handsets, when used alongside a secondary PIN.  Most facial recognition systems either use an algorithm to analyze the relative position of things like the nose, eyes and mouth or perhaps analyse a selection of facial images to create a normalized view.  This area is certainly developing, but can perhaps be circumvented by pictorial replays or other savvy attacks.  Google has certainly taken a lead in this area, by recently announcing a patent based on facial authentication.


Biometrics - Voice Recognition

Another area of interest is that of voice or speech based authentication.  On a similar front to facial recognition, this is focusing on the premise, that something you are, is certainly a lot more secure than something you know (password) and even more so than something you own (token).  Vocal recognition requires the 'printing' of the users voice, in order to identify the unique characteristics of the individual.  This is akin to a fingerprint, and when measured accurately using the amplification levels of key frequencies and other pause factors, makes an arguably world unique view of a user's voice, similar to a DNA sample.  At login time, a user is asked to repeat a certain phrase that was used at registration time in order to identify a match.

Any biometric method will raise questions about practicality (accuracy of technology, avoidance of poor type I and type II error rates for example), as well as managing the privacy concerns of holding individual biological data.  The latter part however, could probably be overcome by holding simple hashes of key checking metrics as opposed to raw data.

Either way, passwords may at last be on the long goodbye away from centre stage.

By Simon Moffatt

Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…