Password Security 2.0: Beyond the Password

TECHNOLOGY

Security technology is becoming more sophisticated but examine your options carefully before you upgrade.

With the release of the latest Apple iPhone – the 5s – a new security feature is now available, and the reviewers are all abuzz about this more convenient variant on privacy and data protection. But is all the hype really warranted?

There have been many great innovations and improvements in technology security and authentication over the years. Each type has its benefits and drawbacks. So, with all of these options, which is the best for your personal and business data? The basic forms of data security fall within one of three main categories: biometric, possession, and knowledge factors.

Biometric Factors

Biometrics (i.e., what the user is) are the unique physical traits of the user that can be measured and compared, such as a voiceprint, iris scan or, most commonly used in everyday technology, a fingerprint. While only you possess the originals, biometric factors are nevertheless vulnerable to being copied.

Fingerprint scanners – While not a new innovation, Apple’s ‘Touch ID’ sensor on the iPhone 5s has once again brought mainstream attention to using fingerprints as a convenient way to let your phone know that you’re, well, you. Early reviews suggest that the new sensor is convenient and effective and a considerable improvement over the older-style “swipe” sensors more common on business laptops. However, as with all biometric factors, this method can be defeated by a determined attacker if they have a sufficiently detailed copy of your fingerprint. Unfortunately, a copy of your fingerprint is not as difficult to come by
as you might think. Just consider how many everyday items you touch casually, such as glass doors or windows,
elevator buttons, cups or glasses, and any other non-porous surface.

Face recognition – Front-facing cameras have been included on mobile phones and computers for many years, thereby making this technology appear to have the prerequisites for a mass-market deployment. In fact, this feature is already available on many phones,
such as recent models running Google’s Android operating system. Unfortunately, the current consumer versions of facial recognition technology still have a lot of room to improve. In its current forms, the facial recognition security locks depend on lighting
conditions and facial expressions for their effectiveness and can be fooled by a simple photograph.

Possession Factors

Possession factors (i.e., what the user has) essentially rely on a key-and-lock system. The ‘key’ may take many forms, such as a keychain token, smart card or a small device designed to interface with the machine, such as a USB or audio port token. Possession factors are relatively uncommon on their own for computing security, although they are frequently used as part of a multi-factor or two-step system (something we’ll touch on a bit later). The primary weakness of using a physical object as an authentication mechanism is that it may be stolen or damaged. Think of someone who has the keys to your home, for example; they would have unrestricted access to everything inside!

Knowledge Factors

Knowledge factors (i.e., what the user knows) are very commonly used, such as a secret PIN, pattern or password. The main common advantage to knowledge factors is that the ‘secret code’ may be changed with relative ease and frequency. For example, in
most applications, changing your PIN or password only requires a couple of clicks. Among other things, knowledge factors can be vulnerable to what is known in the computer security world as “brute force attacks.” Simply put, a computer program attempts
to ‘guess’ a passcode by systematically trying a large number of various combinations in a short amount of time. Of course, the greater the number of combinations, the harder it is to crack a password in this way. This is why, despite the inconvenience to the user,
longer passwords that use a combination of numbers, symbols and both upper and lower case letters are considered to be more secure. Unfortunately, the longer and more complex a password becomes, the harder it is to remember!

A four-digit PIN has 10,000 potential combinations; a sixdigit PIN has one million.

PINs and patterns, commonly used by financial institutions and Google’s Android operating system respectively, have the advantage of being easier to remember. Depending on the number of digits in a PIN or dots in a pattern, there may be fewer potential combinations. A standard four-digit PIN, for instance, has only 10,000 potential combinations. On the other hand, a six-digit PIN has one million.
Patterns, as implemented in Android, however, have fewer possible combinations than PINs, mainly due to the number of dots, and the inability to “re-use” the same dot twice.

Multiple Factors

Since biometric-, possession- and knowledge-based factors all have weaknesses of some sort or another, data security teams have devised what is known as Multi-Factor Authentication to try to decrease the possibility that a data thief or “hacker” will be able
to breach your security. Multi-factor (also called two-step or two-factor) authentication is intended to make it more difficult for an attacker to have all the required factors, thereby improving security. An ATM is a classic example of a security system that
requires two-step authentication in order to complete any transactions. First, you require a debit card (the possession factor) and second, you must know the PIN (the knowledge factor). Multi-factor authentication is often a requirement for highly secured IT systems,
although it is becoming more commonly available in consumer applications. Google, Facebook, Twitter and other major online sites are now optionally offering some form of two-step authentication as well.

While Multi-Factor Authentication is arguably far more secure, the limitation is that the system itself must be set up to use two-step authentication. Unfortunately, since most software programs don’t have the option to add a second step for authentication, a password is the only option available.

Balance Security with Convenience

Security and usability tend to have a direct relationship: as data security increases, it often becomes more difficult to access the data. The trick is to find the right balance between an acceptable level of inconvenience and the desired level of protection for your
data and privacy. Keep in mind what you’re trying to protect and the potential consequences if someone gains unauthorised access, and use an authentication method that strikes the best balance. For example, your fingerprint may be secure and convenient
enough to keep prying eyes from your personal email or Twitter feed, but you might consider using something more secure for your financial accounts or sensitive client data.

Regardless of the kinds of authentication you’re using, a little common sense can go a long way. Use a password that’s sufficiently secure, never share your PINs or passwords, and don’t write them down!