Is Now the Time to Move Past Password-Based Security?
With two high-profile incidents exposing the flaws of password-based security, it's clearly an issue on people's minds. While solutions exist to help mitigate the password's inherent weaknesses, a new industry group, with the backing of Google, seems ready to tackle the problem for good.
It didn’t break Twitter, but it broke the stock market for a second.
Last week’s hack of the Associated Press Twitter account was a pretty good reminder that you can have the strongest security out there, and it still may not be enough to keep your account safe.
The AP, due to its organizational demands, likely had a strong security setup for its social media accounts, with tweets going through SocialFlow, an audience-management app across its social outlets. But a phishing effort that was described by employees as highly sophisticated allowed a group—likely the Syrian Electronic Army—to post inaccurate information on a feed trusted by millions, including stock market investors.
It led to calls for higher security. And while, yes, Twitter is finally taking notice and moving toward two-step authentication, the situation raises far deeper issues than the account breach.
For example: Is password-based security enough? Do we need to rethink the approach entirely—how we train staff members and the way we secure passwords across the board?
While solutions exist, their flaws are underlined by the fact that, no matter how you slice it, they still rely on the lowly password.
Two-Step: Good But Imperfect
The solution to many security problems can be as close as your nearest smartphone. As we’ve reported, two-step authentication (which allows you to tether an account to your phone, forcing you to type in a code when logging into a new device and informing you of any unauthorized login attempts) has seen an uptick in usage in recent years, particularly with Google-based logins.
However, two-step authentication has problems of its own. First up, when many accounts use a single sign-in, as happens on Twitter, the level of complication rises considerably. Now, Twitter could potentially be thinking of ways to solve this issue on its end—say, by expanding access to more team members, akin to what secondary layers like Buffer and HootSuite already do. But when you have 30 apps trying to do two-step authentication, a useful process is in danger of becoming endlessly cumbersome.
And even two-step isn’t always enough, especially if the hacker is dedicated and savvy. Last year, the security service CloudFlare suffered a customer account breach, even though two-step authentication was turned on CEO Matthew Prince’s Gmail account. How’d the hackers get in? Simple: They called AT&T and, using manipulative tactics and the last four digits of Prince’s social security number, convinced the customer support person to forward Prince’s voicemail to a different number.
The odds of that happening to most people are extremely low, but it’s certainly much better to use two-step authentication than a single password.
LivingSocial’s Silver Lining
On Friday, the issues underscored by the AP’s Twitter hack were again highlighted by a security breach of LivingSocial, a popular, mainstream daily-deals site with 70 million members worldwide. It was an extremely serious hack, on a scale even wider than the Evernote hack earlier this year: Names, passwords, and addresses—but not credit card information—were compromised.
But here’s the interesting part about all of this: The company was an early adopter of Facebook Connect, and people who signed up for the site via Connect didn’t have their credentials affected by the security breach. While that certainly doesn’t suggest single sign-in methods are a silver arrow in stopping data breaches (for one thing, customer data was still exposed, no matter how the users logged in), it does suggest that they have value, as they help reduce the points of impact. This could prove useful, for example, with closed communities, where users may be more likely to use passwords common to other sites. (If you need something a little more standards-friendly, OAuth and OpenID are other standards that aren’t so intertwined with Facebook.)
This philosophy can translate work within your organization, as well: The popular 1Password, available on desktop and mobile platforms as well as via browser extensions, essentially approaches Facebook Connect’s single-password solution from the other direction. The $49.99 app, available under site licenses for large organizations, allows users to set different passwords for every site and keeps them easy to access. You don’t have to remember 300 passwords. You just have to remember one and use the app to access the rest.
If $49.99 is too much for you, the open-source KeePass serves a similar function. Either way, it may be worth considering technical solutions to best secure logins related to your association’s digital products.
Can an Industry Group Help?
But the fact of the matter is these solutions have weaknesses, too. A dedicated social engineer can get around a firewall with some smart trickery.
That’s why it’s worth keeping an eye on the FIDO Alliance, a tech industry group that is working to create open standards for authentication, with the goal of allowing new ways to log in to accounts. From one-time passwords to Near Field Communication, these approaches could help security more than the cat-and-mouse game that we’ve seen in recent years with password issues. FIDO Alliance launched in February, with PayPal the biggest name on the board.
And it just got a big name on its member rolls, one that could help push these open standards across the internet: Google.
“The momentum achieved by the FIDO Alliance since our public launch in February is impressive and speaks to the unanswered need in the marketplace for open, interoperable strong authentication,” the group’s vice president, Ramesh Kesanupalli, said in a press release. “Google brings insights to implementing strong authentication at scale and illustrates how to bring pioneering research and initiatives into the FIDO Alliance.”
While the group doesn’t plan to put its weight behind any single solution, the support of an industry organization could go a long way to help us start thinking about security less in terms of passwords and more in terms of physical devices and easy-to-replicate approaches. It’s too soon to tell how it might help, but it’s certainly a good start.
Ultimately, password-based security is something that needs to be considered on the organizational level, and users need to be trained in best practices—scrutinizing the things that they see from day to day, using their heads, and being careful about the links they click.
But who knows? Maybe someday, we’ll be able to close the vault for good.