Computers have a hard time verifying human identity, or even identifying machines that are posing as humans. This poses a great challenge to engineers who want to create secure and usable computer systems.
Good security can already be difficult in theory, but in practice user behavior makes it even trickier. Security best practices are tough to implement and almost impossible to enforce. The user shouldn’t have to go out of their way to get accustomed to complicated new security procedures, but basic knowledge is essential for secure authentication.
The Different Types of Protection
Passwords are among the most demonized, yet also most commonly used authentication tools today. Users are often criticized for having insufficient passwords, but when accounts are breached, it’s often the fault of the service.
When coupled with automatic account freezes after a certain number of failed attempts or limitations to how frequent a user is allowed to attempt access to their account, even simple and non-unique passwords can adequately protect an account, unless the attacker is highly motivated and well funded.
Another area of attack are password resets. As the user might forget or lose their password, a procedure usually exists to reset the password. This procedure might provide an easy way for an attacker to get the user’s information.
It is not too difficult for a site to handle the storage of passwords properly, but many do not follow basic security procedures. As a result passwords often get leaked online, and because the users use the same password across multiple sites many of their accounts might simultaneously be compromised. Password managers can help mitigate these risks, and as such will play an important role in the future of passwords.
You might even say password managers will save the password.
In addition to a password, many services, such as Google, give you the option of adding a second layer of security, through the use of two-factor authentication. This can be a code generated on your device or sent to your phone. It can also be a code generated on an external device.
This has great advantages over simple passwords, but in reality is, similarly to passwords, troubled by a reset mechanism. The user might lose access to their phone or SIM card or the process that generates codes. They may even lose the actual device itself. The real kicker is that the reset mechanism required to make a product usable again is often the same procedure an attacker uses to bypass the protection in the first place.
Captchas are usually small games or images in which the user has to answer a seemingly easy question, such as How many images have cats on them? or Type the number below.
They have one goal: To determine whether you are a robot or a human. Though, artificial intelligence is becoming more and more capable at identifying Captcha tasks.
Furthermore, thousands of people around the globe are currently getting paid minimal amounts of money for every Captcha that they solve. These solutions are integrated into an automated process, which enables computers to break barriers that were built to keep them out, blurring the line between human and machine.
Fingerprint scanners are the most commonly used form of biometrics. While some computers have fingerprint readers, the feature is most prevalent in the latest generation of cell phones.
Other systems are gaining traction too, such as phones that unlock after identifying the owner’s face. Many new passports also contain biometric data, such as fingerprints or faces.
Importantly, biometric data cannot be hashed. A hash is a one-way function that encrypts data in a way that cannot be reversed. This makes it possible to store passwords securely. All biometric data, even DNA, is always slightly different and never exactly the same. If this data were stored encrypted, it could not be compared, as even slight variations would drastically change this hash.
However, biometrics are very difficult to use online. First of all it becomes very difficult to remotely read biometric data. While a physical gate or a phone might have ways to verify the integrity of the camera and fingerprint scanner, an online service would not. As a result it would be far easier to trick the online service with false data, such as video recordings or pictures.Without the ability to store securely fingerprints, iris images, or face rasters, biometric data becomes extremely vulnerable to theft. Armed with a person’s biometric data, an attacker could easily gain access to many of their systems and services.
We can also not assume that our biometric data stays private. It would not take much effort to read a fingerprint from a glass or handrail, then reproduce it to unlock a device. In fact, this has been done with photos alone.
There are also legal issues concerning the use of biometric data. In most jurisdictions you cannot be forced to make testament against yourself, so courts are also not able to force you to reveal your passwords. Your fingerprint and other biometric data is not protected by this law, so can be used against you to unlock your phones without your consent.
Machines Can Learn Human Behavior
When humans recognize each other they take a lot more into account than just a name or a password. Humans don’t just look at biometrical data, such as the face and stature, but also at behavioral data, such as the way somebody speaks or walks. Machines are increasingly more capable of observing and recognizing human behavior and although the observations are not predictive enough by itself, the gathered data can significantly strengthen other authentication procedures. For example, a computer may recognize the way we type a password or the way we hold our phones.
By learning more about how we behave, our devices will have an easier time determining their true owner, and possibly even shut down or erase themselves when they sense an intrusion.
Public and Private Key-pairs
Public and private key-pairs are the main characteristics of asymmetric cryptography. Currently mostly found in systems such as PGP and Bitcoin, public and private key-pairs might easily find a use in authentication systems as well.
While the user’s private key would stay on the device, the public key could be safely uploaded and stored on a service’s servers. A user could use the same key-pair for multiple services, or create multiple pairs at no cost.
Instead of transmitting a password to login, the user would create a signed message specifying the details of the current login. It might be limited in time, by IP address, or even to certain actions, such as access to particular folders or activities.
Strengthen Procedures With Hardware
Some of the above, such as passwords, two-factor authentication, biometric, and keypairs become a lot more secure when moving them onto specialized, audited and trusted hardware. For extra security, you might want to keep your password manager or private keys on such a device, authenticate it with biometric data and encrypt the contents with a strong password.
A Strong Password Is Still the Best Defence
Passwords will likely remain the best authentication method available to us, although we will increasingly see it further strengthened with biometric authentication, hardware, and encryption.
Identifying a previous user without a password is one of the most difficult challenges and doing so is often time intensive and costly. The biggest issue will remain the password-reset, which is embarrassingly easy to abuse with many services.
Combining various types of alerts and grace periods can reduce the damage of intrusions through improper password resets, but at the expense of convenience.
Arthur Baxter is an Operations Network Analyst at ExpressVPN, a leading privacy advocate whose core mission is to make it easy for everyone to use the Internet with security, privacy, and freedom. They offer 100+ VPN server locations in 78 countries. They regularly write about internet security and privacy at the ExpressVPN blog.