Co-authored by Professor Woodrow Hartzog.
Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.
Problems with Passwords
The predominant method of authentication thus far has been the password.
Unfortunately, passwords have some significant shortcomings – they depend upon human memory, which is limited. Short and simple passwords are easy to remember, but they are also easy to crack. So passwords need to be long and complex as well as easy to remember, and this combination is incredibly hard to achieve.
Making the problem even worse, people are told that all of their passwords should be unique. Password reuse dramatically increases peoples’ vulnerability when their password is compromised. But it is a virtually impossible feat required of human memory to remember many long and complex passwords.
According to one study, consumers have an average of 24 online accounts. For those who use the Internet more robustly, the number of accounts is much higher.
The mainstream advice on creating passwords counsels people to use special characters, numbers, punctuation, and upper and lower case. All these add complexity to passwords, but they also make passwords significantly harder to memorize.
These demands have resulted in users being given the Herculean task of creating a unique, complex password for every account. No one can remember all of these passwords, so people ignore the advice about using unique passwords and reuse the same password or draw from a pool of a few passwords. According to a study, 73% of accounts use duplicate passwords, and consumers use on average of only 1 unique password per every 4 accounts.
As if remembering complex passwords weren’t hard enough, many companies want passwords to be changed frequently. Unsurprisingly, people often don’t change their passwords. Indeed, by one estimate, nearly half of consumers have a password they haven’t changed in more than five years.
The more challenging it becomes to memorize all the passwords, the more likely people are to write the passwords down in convenient locations, thus creating additional security risks. Passwords find their way onto sticky notes near computers or in wallets or in email or listed in text files in devices.
One company marketed a product called Password Minder and produced a hilarious infomercial that says that Password Minder has been designed to “safely store passwords.” It touts: “Never lose a password. Guaranteed!” Password Minder “features a discreet leatherette-bound cover to ensure your passwords stay a secret.”
We suggest an alternative title – Fraudsters, Here Are All My Passwords for You in One Easy-to-Recognize Book.
And then there is this line of password books, designed for the special needs of various types of people.
A look inside each book, however, shows that all books have pages that look like this:
Last, but not least, there’s The Personal Internet Address & Password Log Book, a small tabbed book where people can write down all their login credentials.
When we last checked, this book ranked #428 out of all books on Amazon, and is the bestselling book in Amazon’s Internet and Telecommunications category.
To our dismay, it’s doing far better than any of our books. Maybe it’s time to write a password keeper book of our own!
These solutions will make any security expert chuckle, but laughter is misguided if directed at the people who would use such a product – instead, the laughter should be at the fact that people feel the need to resort to such a means because of impossible demands being made on human cognition
Locking the Front Door
But Leaving the Back Door Open
Suppose a user has many long, complex, or unique passwords. Is the user safe?
Nope. For example, in a phishing attack, fraudsters try to trick users into giving away their passwords. Often, fake websites and deceptive hyperlinks look very real and easily deceive many users. As another example, malware such as keystroke loggers and other spyware can be used to obtain passwords, which seems to be how health insurer Anthem was breached last year. Even when users act perfectly in adopting complex, unique passwords and avoid accidental disclosure, malware can still compromise username and password credentials.
The current approach to passwords protects against only certain types of attacks and fails to address other threats. And by asking people to do the impossible by creating passwords that are both unique and complicated, this approach practically forces people to engage in risky behaviors that defeat the purpose of these protections.
Hardly any expert would disagree with the problems we stated above, yet passwords remain the predominant approach to authentication. We are living in a world of ostriches, their chuckles at the absurdity of the situation muffled by the sand above their heads.
Why Aren’t Better Authentication Methods Catching On More Widely?
There are other solutions to authentication problems and methods of authentication that can be used if organizations moved away from their futile clinging to passwords. Many relatively cheap and easy-to-deploy methods can be used to protect against different kinds of attacks on credentials. One such example is two-factor authentication.
The essence of two-factor authentication is simple. In order to login, you must have something you know (usually a password), as well as one additional factor, usually something you have (usually your cellphone) or something you are (usually a fingerprint or faceprint).
Two-factor authentication is particularly promising because it has already been deployed by major companies, it protects against many different kinds of offline attacks, and can leverage a technology that most people already constantly carry around – their cellphone. Two-factor authentication is a good way to protect against both online and offline attacks. While two factor authentication remains vulnerable to specialized phishing and malware-based attacks, those vulnerabilities are relatively narrow and typically require the fraudster to already have the user’s username and password.
Our point is not that there is a silver bullet that addresses all the problems with passwords. Rather, there are many better authentication techniques available, ones that are clearly a much better choice than passwords alone in certain situations, especially high risk situations.
Although many of these techniques are widely available and inexpensive, they are often not used. This is a pathology that is undermining improved data security. It is clear from many polls that most people are very concerned about data security, and most leaders of organizations are also very concerned.
Change is not likely to happen fast enough without some kind of precipitating event, something to set things in motion and eventually lead to a cascade. Rather than wait for Godot, there would be a great benefit for some kind of regulatory intervention. Perhaps a nudge, maybe a gentle push, maybe a shove, and maybe even a kick in the rear. Something needs to be done.
The FTC Has Laid the Groundwork
for a Better Approach to Authentication
In the United States, the FTC is the regulatory agency in the best position to step in and require improved authentication. The FTC has the broadest range of jurisdiction of any federal agency enforcing data security. The broadest source of FTC jurisdiction is Section 5 of the FTC Act. Under Section 5, “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” The FTC has long maintained that failing to provide adequate data security can be a “deceptive” trade practice or an “unfair” trade practice – and in many cases, both deceptive and unfair.
When determining whether data security is satisfactory, the FTC essentially looks to whether the security measures are “reasonable.”
The FTC generally determines what is “reasonable” by looking to areas of widespread consensus. Such a consensus appears to exist regarding passwords – at least in what is being said, although it is not being done. And the foundation exists in existing FTC jurisprudence to make a movement toward improved authentication.
As authentication threats evolve, so should the FTC’s requirements for reasonable authentication.
The FTC’s authentication jurisprudence supports moving beyond passwords to embrace new, effective, and popular techniques. Although passwords alone might still be sufficient for certain kinds of systems, the FTC might consider where improved authentication approaches such as two factor authentication might be more appropriate for high-risk contexts.
The FTC should not create a one-size-fits-all standard. A holistic approach to authentication would consider the relevant threats, the costs of deployment, the toll on use, and the relative security benefits of relevant authentication strategies. The FTC can begin by holding that in certain high risk contexts, improved authentication methods should be employed. The FTC need not necessarily choose which method. The test should be pragmatic: How well does the method work? What are the costs and benefits? The FTC can conclude that as long as alternatives exist that are reasonable in cost and ease of deployment, the use of passwords alone is insufficient.
It is time to start moving beyond the password. The FTC should not kill passwords, but it should not let them continue their reign as the king of authentication. The FTC should make passwords share their throne with better forms of authentication.
For a further elaboration of these points, please see our recent piece, Daniel J. Solove & Woodrow Hartzog, Should the FTC Kill the Password? The Case for Better Authentication, 14 Bloomberg BNA Privacy & Security Law Report 1353 (July 27, 2015).
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.