The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
This article is by Featured Blogger Dr. Augustine Fou from his Blog Page. Republished with the author’s permission.
Cybersecurity is more and more important because we are spending more and more of our lives online and using connected devices. Of course different devices and activities require different levels of security. However, most online authentication still revolves around passwords, which are notoriously weak due to misaligned incentives -- i.e. the user voluntarily chooses shorter, easier-to-remember passwords, which means they are easier-to-guess too. Algorithms can make millions of “guesses” in a second in so-called “credential stuffing” attacks.
Something you know - passwords
Something you have - device, security key
Something you are - biometrics
This led to the increasing adoption of two-factor authentication (2FA), which brings in an element of “what you have” in addition to the “what you know” (passwords). But most online 2FA revolves around codes that are sent through SMS and valid for a short time window. Unfortunately, it’s well documented that rogue apps on phones can intercept SMS messages and easily defeat this form of security. The user might have accidentally given permissions to read and write SMS when installing the app, or the user might have knowingly given such permissions to free texting and chatting apps (ever wonder why there are so many free texting and chatting apps when everyone already has texting and chatting built into their phones already?).
And for even greater security, some devices are adding “what you are” features like fingerprint readers, facial recognition (e.g. Apple FaceID), and iris scanners. While more secure in theory, criminals have found easy and clever ways to defeat biometric security too. They can either buy such data from others or simply make “viral apps” which trick gullible humans into voluntarily taking a picture of their own face with the app for frivolous things like “cartoonify your face.” And remember all those “which celebrity do you look like” or “what will you look like when you’re old” apps? Right, users volunteered their own faces.
Aside from the various nefarious and clever ways bad guys can easily defeat current forms of online security, what if users valued their privacy more and preferred not to use their fingerprints or irises for authentication? Further, what if we assumed attackers had unlimited computing power (powerful servers, parallel processing GPUs, and dedicated ASICs) to attack your security infrastructure. Even long passwords won’t safeguard you; 2FA through networks they can access won’t safeguard you; and faces and biometrics can also be defeated given enough time.
I have also said previously that any security schema that relies on secrets is not good enough. That’s because those secrets can be compromised via “pain or gain.” We’ve all seen enough movies to know that attackers can torture passwords out of secret-holders (pain) or they can offer them large sums of money to disclose the secret (gain). So security systems that rely on secrets will still be subject to the perennial weakest link -- humans. That’s assuming there was no human error that accidentally exposed everything already (DB’s left unsecured in the cloud) or some human plugging a USB thumb drive they found on the street into an air-gapped computer at a nuclear facility (Stuxnet). Finally, any security schema that can be compromised by human laziness is not good enough -- if you make humans do too much work to secure things, over time, they will find work arounds and time savers that defeat the entire security schema.
So we are left with the following three-pronged challenge: 1) assume attackers have unlimited computing power to bring to bear to defeat your security, 2) humans are inherently lazy and forgetful so security schema should not rely on them to do too much work otherwise the schemas are inherently weak, and 3) biometrics like facial recognition are not desirable due to long term privacy implications (someone else has to have all your faces in a database so they can use them for security; that is not secure in and of itself).
How would you solve this security challenge? I will lay out how we do it in my next article. In the meantime, here are some hints.