Building Better Authentication: 01
In Today’s modern world, The Traditional “username + password” authentication scheme has been under heavy attack. Its clear that with how brilliant system Crackers are these day’s (yes, I said Crackers, not hackers. I’m taking the word ‘hacker’ back. Deal with it.) we can’t really stick with using simple password based authentication anymore. No matter how brilliant your password is: IT CAN BE CRACKED.
So let’s perform a thought experiment here and design a better method of authentication. First let’s look at what we have available as alternate forms of authentication, and analyse whether or not they really meet our needs.
In my mind the value of an Authentication method can be divided into three points:
- Ease of Use
- Configuration Requirements
All three of those items must be balanced to provided the best potential Authentication method: Let’s start by breaking a Traditional Username + password authentication scheme into these principles:
A username and password is something that challenges balance at every turn. The more you increase ease of use IE, Shorter, simpler to remember passwords: the more you DECREASE the security of the password. Configuration requirements stand fairly simple as all you need is a keyboard, and generally its universally supported.
- Smart cards: A look at traditional two factor authentication.
- Yubikey: The rise of the One time password.
- RSA/SSH-Key: The Linux way
- Bio-metrics The rise of the bad idea!
In the government, and many other area’s of business smart card authentication has become a popular way to replace the username and password. With this method of authentication you are replacing your username and password with a physical item + an easy to remember pin, generally 4-8 Numerical Digits. In my mind this is near an ideal means of replacing username and password. You end up not having to remember complex combinations of Alphanumerical passwords, due to the physical aspect of the smart card being required, in many infrastructures your pin never changes and in those that have decided that isn’t safe, its generally only needed to be changed once a year vs with passwords it is recommended they change at LEAST every 90 day’s.
The cons of this on the other hand are simple: Smart cards are built on an infrastructure. As such the “configuration Requirements” is completely out of balance. You could not, for example, simply get a smart card and incorporate it into your home life. At work, this is a great solution, but let’s face it: We are more concerned with our email being cracked and taken over, or our bank accounts, or literally any personal part of our life, than we are with work accounts.
If a work account gets hacked, that sounds like the companies problem right? I mean, most of us aren’t that callous, but if you heard at the same time: Your personal email was compromised, and: Your work email was compromised… Then, unless your work email contains information that will get you arrested because it contains top secret government information, you will probably be more concerned about your personal email.
Another con is that Smartcards then require you to have a smartcard reader on your computer, Which is fine for work…Ok for home (not hard to get a reader) assuming you set up your own infrastructure that can be used over the internet… but as easy as it is to carry a smartcard around with you. You cant guarantee that any place you go, and any computer you use, will have a smart card. So you could be locked out of an account someplace when you need it.
The Yubikey is a fantastic way of bringing 2 factor authentication into the home. For supported applications, you simply log in as normal with username and password, and touch your yubikey device, and it inserts a special One time password, and completes the login. That is good, from a security standpoint you’ve hit the nail on the head. Security ACHIEVED. From a Configuration Requirement..It’s overall not bad, you have your yubikey, you load it with your key’s, you configure it on each individual website…Ok, So its not perfect, but its not bad. When combined with something like Lastpass you can get fairly good security fairly quickly. Of course when using Yubikey with lastpass, you are still, at your core, using a Traditional Username + password, But at least you can use maximally randomized, huge passwords, and be relatively secure.
However, from an ease of use perspective, man, this takes the cake. You should still have a secure password, so you haven’t made things easier, you’ve just added the step of also having a yubikey plugged in.
Overall: Yubikey is a solid attempt. Or really, any One time password solution falls into this. SecureID tokens, Keyfobs, Mobile one time password solutions. All of them are not bad, but not perfect.
If you use linux, you are no doubt familiar with using RSA Pub/Private key’s to authenticate. For those unfamiliar: In linux it is blindingly easy to generate a key file pair of a secure cryptography key. These key’s can be shared about your linux systems, and/or carried with you in USB stick, and provide passwordless authentication to the system that has its paired key on it. Freaking amazing. Easy to use, Easy to implement, Very secure. It’s the perfect solution!…Is what I’d like to say.
The reality is: if you want to be secure, you still need to attach a pass-phrase (yes pass-phrase instead of password) to your Key to protect it from just being copied by someone that happens to get access to a system. The Good news is, pass-phrases allow spaces, and dont generally need to be as complex as a traditional password does. But still, it requires you to remember something, and in a perfect world you would still use separate key’s in different servers, so if something is compromised it doesn’t create an instant loss of everything you are using.
Oh, I should also mention that It can only be used among linux systems…So I guess it’s not actually easy to implement since it doesn’t actually replace passwords. And really, if you do things “the right way” and have a different key on every system you use, it becomes a nightmare to create so many key’s and keep track of them… So never mind.
From a security standpoint you are more or less golden though. *thumbs up* (lets not talk about the heart-bleed bug as that could happen to anyone in the bedroom.)
This is just an honorable mention. Bio-metrics are a bad idea. Why ? because A) if you are disfigured you lose access to your life. Ie if your thumb is terribly burned and the print is lost, or you take an arrow to the knee…err, eye.
Worse still, even if you created some service that allowed biometrics as authentication to all websites. Someone steals your retinal scan information/thumbprint and you can never be secure again.
So lets create a theoretical product based on how we perceived these other products. What we’ve learned about the perfect solution:
- The solution must be vastly more secure than a Traditional Username + password combination
- The Solution must be easier to use than a Traditional Username + password combination
- The Solution must be usable against ANY situation which would require a Traditional Username + Password Combination: websites, Windows Logins, Linux Logins, Remote, local.
- The Solution must NOT require the user to have their own infrastructure in place that allows the use of The Solution
- The solution must be functional on the average computer you may need to use. (Fuck you smart cards, you were so close, but you had to just wuss out on me at the end).
- The Solution must be able to recover from potential security breach. (Fuck You biometrics. Nobody wants you here, just go home)
- Also, not directly discussed but pretty important, The Solution must be cheap enough that the average person would be willing and able to afford using it
What is the answer? I don’t have one. That is the point. Think on these things, Consider them. I have been and will continue to be. I’m going to construct some idea’s on how potential solutions could work, and post them up in the near future.