Perfect authentication remains elusive

For years, leaders of the security industry have warned that passwords have outlived their usefulness. Users pick easy-to-crack passwords like the name of a dog or a favourite movie. They’re written on post-it notes and left sticking to the monitor for all to see. 

Multi-factor authentication — using more than one form of authentication to verify the legitimacy of a transaction via smart cards, tokens or biometrics, for example — is often held up as the alternative; an end to insanity.

The reality is far less simple.

At Security B-Sides Tuesday, a panel discussed the best ways to address the problem.

Marisa Fagan, security project manager at Errata Security, mapped out the problem security shops face. Errata, she said, has found that 10 percent of all Twitter traffic is comprised of phishing and malware attacks. Many users are often duped into clicking on a phishing link or their password is so easy to guess that the bad guys crack it. From there, the path to one’s sensitive data is shorter and clearer.

“Recycled passwords are a problem,” she said. Launch a brute-force attack and access a password and you’re in business. Cracked Facebook passwords are being sold for $100 or less, she noted.

“There are different ways to solve the authentication problem, but removing passwords would kill all the birds with one stone,” Fagan said. “The question is how best to go about it.”

Multi-factor authentication would seem the easy answer. But here’s the problem: Attackers can also get around that with little trouble. The reason, as in the password problem, is that users end up being the path of least resistance.

“People will write their PINs right on their token. So have we decreased risk? We’ve created a bigger barrier” but that’s not enough, said Michael Santarcangelo, founder of the Security Catalyst Community.

Jennifer Jabbusch, CISO at Carolina Advanced Digital Inc. in North Carolina, noted how companies implement multi-factor authentication but don’t always get the implementation right. That’s when the company is left with nothing but “feel-good security.”

“We need to draw a line and not pursue solutions that simply offer a feeling of security,” she said. “Things make you feel better don’t really help.”

There’s also the lingering problem of economics. Federated ID, which lets business partners automatically access each other’s networks without requiring piles of passwords, is often cited as one of the more ironclad options. But the cost and complexity has led to far fewer federation implementations than industry experts were predicting five years ago.

So where’s the ultimate solution? The panelists said there’s no one-size-fits-all approach. User education certainly remains key — making people aware of why it’s bad to write their PIN right on the token, for example. The other thing is to recognize that no method of authentication is 100-percent ironclad and plan for the possibility that the bad guys will still get through.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now