He isn’t the first and he certainly won’t be the last – but perhaps the chief financial officer at Twitter, of all places, ought to know better?
That was the attitude when Twitter CFO Anthony Noto had his own Twitter account hacked in early February. Fortunately, the attackers only used his account for sending low-level spam, rather than, say, bogus messages that could have been used to hype or trash Twitter’s stock price.
While Twitter offers two-factor authentication – a secondary check when people log-in by sending a code to their mobile phone, which they have to tap-in – most people either don’t bother or don’t want to hand over such personal information. The password, therefore, remains the predominant form of authentication that people use to log-in to a wide range of sensitive online applications, including corporate systems.
The question is, when will the password be replaced, if ever, and is there anything else that is – or could be – equally convenient for users?
Barry Scott, chief technology officer of identify management software company Centrify, argued that while they are “basically not fit for purpose, they are going to with us for a long time”. He continued: “Things aren’t going to change overnight. We need to use them as little as possible and, where we might be particularly vulnerable, back them up with multi-factor authentication.”
One of the ways in which passwords are often compromised, he said, is via password recovery systems, which all too often are easy for outsiders to crack. That’s just one reason why corporate and other email accounts are so highly coveted by hackers: because often, new passwords for even sensitive systems are sent straight to the an email account, no questions asked.
Even when authentication questions are asked, they are trivially easy for a determined attacker to overcome,¬†Scott¬†said: information such as schools attended, pets’ names and so on – if they are asked – are also relatively easy for an attacker to find out in the age of Google and Facebook.
No alternatives
In a 2012 technical report, the University of Cambridge examined all of the various different alternatives to the password for authentication.
It covered encrypted password managers, federated single sign-on, graphical passwords, hardware tokens, paper tokens, biometrics and mobile-phone-based authentication, as well as recovery. In total, almost 40 different schemes and technologies were examined by a team of researchers at both the university and Microsoft.
The trouble is, it concluded, no single scheme could better passwords for usability. “Not a single scheme is dominant over passwords; i.e, does better on one or more ‘benefits’ and does at least as well on all others. Almost all schemes do better than passwords in some criteria, but all are worse in others,” it concluded.
The age-old RSA Secur-ID hardware token, for example, is arguably more secure than a humble password and a good solution for securing particularly important systems, but it falls short in terms of cost, usability and scalability. Graphical passwords, meanwhile, might have advantages in terms of usability, but are highly vulnerable to “shoulder surfing”.
Biometrics, which were once touted as the answer, also have many problems. “Biometric schemes have mixed scores on our usability metrics, and do poorly in deployability and security,” said the report. Indeed, if a genuine user is locked out because their biometrics cannot be accurately read, recovery is time-consuming, difficult and costly. And, if the underlying “digital representation” of someone’s fingerprint, iris scan or voice recognition string is purloined, the whole system could be undermined – you can’t exactly change someone’s biometrics in response.
“Hence despite security features appropriate to control access to physical locations under the supervision of suitable personnel, biometrics aren’t well suited for unsupervised web authentication where client devices lack a trusted input path and means to verify that samples are live,” warned the report.
[Please turn to page two]

Leave a Reply