Passwords Remain the Weakest Link in the “Protection versus User-Friendly” Tech Battles
There is a vast amount of “how-to” information on the internet about creating strong, unique passwords. This information is especially important in the wake of several massive cyber-attacks where millions of passwords, and at least 93,000 websites and entities, including Facebook, Twitter, Gmail, Target, and Adobe, were comprised. Several post-attack articles listed the twenty most commonly used passwords and implored readers to examine the list. If their password was among those listed, they were advised to change it immediately.
The ubiquitous password has become a media darling with blogs, articles and news releases urging everyone to do a complete overhaul of their favorite passwords. According to an NPR article, an estimated 60% to 80% of Social Security numbers, that once unique identifier, have been stolen as of mid-2015. Even President Obama has weighed in and “made a grass-roots call, literally asking citizens to please take basic steps, and use available technology to protect their data.”
With password limitations reaching new heights, many security professionals are calling for profile verification practices calculated to make the complexities and risks of authenticating online credentials and identities manageable and safe. Enter FIDO, Fast Identity Online (FIDO) Alliance, a non-profit founded in July 2012 and publicly announced in February 2013. This industry group is in the midst of championing better multifactor authentication and open standards to promote interoperability of next-generation authentication technologies.
Whether you are a security professional or an ordinary user, juggling multiple passwords for bank accounts, online stores or workplace applications, the FIDO alliance will impact your online activities if it hasn’t already. Since that 2012 date, the alliance has been busy, bringing on board such major players as Google, Netflix, MasterCard and according to a January news release “100 solutions are now FIDO® Certified and hundreds of millions of end-users’ desktop and mobile apps have FIDO-enabled authentication protection available from leading service providers.” FIDO-ready certification is established by passing a series of tests based on Universal Authentication Framework (UAF) or Universal Second Factor (U2F) requirements.
U2F requirements, originally developed by Google and Yubico, is an effort to get web browsers, online service providers, and operating systems to authenticate user credentials with a robust second factor such as USB key tokens, or by bringing a second mobile device into play. This authentication, launched by Google and Yubico in late 2014, is now hosted by FIDO which provides support for deployers of the technology.
Most ordinary users don’t even realize that they are already using a two-factor authentication system in many areas of their everyday life. When you stand in front of an ATM and insert your ATM card, you are subsequently asked to enter your PIN, at this point, you have just verified your identity two different ways, and you are engaging in U2F authentication.
As two-factor authentication offerings grow among service providers and platforms, it is important to stay focused on the ultimate goal – security across a broad spectrum of online industries. However, it is always the end-user that determines the success or failure of any new technology. The first time an owner of a Twitter, Dropbox or credit card account, cannot login because of a constraint with a two-factor authentication, they will most likely try to disable the stronger authentication as soon as possible. That is just human nature.
Not addressing this reality creates critics, rather than fans of a more robust system. Security professionals know that for the consumer, convenience is paramount and by offering options for deploying the double layer of security, the consequences of additional authentication shifts back to the user who is doing the choosing. Without a distinct focus on how the ordinary user is experiencing the two-factor technology the industry may be heading for a battle of “protection versus user-friendly” which could lead to a negative outcome for this necessary upgrade.
Arming consumers with the knowledge that passwords are the weakest link in determining that users really are who they say they are and that even the most complex password is susceptible to a determined attack, is the first step toward online experiences that are safe, secure and still user-friendly. For more information regarding FIDO, UAF and U2F contact us, we are ready to answer your questions.