Ari Juels on user authentication: passwords are flawed, but what are the alternatives?
Categories
By Ari Juels
Andy Greenberg’s Wired article, “Three Things Apple Can Do to Fix iCloud’s Awful Security,” paints a clear picture of the current landscape of user authentication. It also underscores the main challenge: User authentication, like any system, is only as secure as its weakest link. Today, that link is usually the set of schemes (password recovery questions, help desk calls, etc.) for recovering lost credentials.
The password reset questions recently used at health-care marketplaces illustrate the problem well. They include some that are highly vulnerable to guessing by a hacker:
- How many bones have you broken?
- What color was your first bicycle?
Some that seem specifically designed to ensure their answers are forgotten:
- Type a significant date in your life.
And some in which you can read the existential angst of some poor system developer:
- If you needed a new first name, what would it be?
What alternatives are there? The suggestion in the Wired article that users authenticate physically at banks or Apple stores is meant as a means of last resort, one for rare corner cases. (If you’ve lost the iPhone you use for two-step authentication, and need to buy a new one, you’ll probably show up at an Apple store anyway.) But how can we keep the corner cases truly rare?
Of the many possibilities for credential recovery being explored by researchers, one that seems especially promising to me is the use of social networks, i.e., using friends and families to help recover your identity. A form of such “fourth-factor authentication’’ is used by Facebook, for example, in its Trusted Contacts system. What if this system were enhanced with video, to make identity verification better and easier, and with trusted hardware to prevent secrets from being given away to attackers?
Social engineering, i.e., attackers’ confidence games, will always pose a challenge. But we might move a step closer to a system in which users don’t have to remember passwords or other secrets, authentication is seamless, and recovery is only just painful enough to encourage you not to lose your devices too often—or maybe just gives you an excuse to reconnect with family and friends.
Ari Juels is a professor at the Jacobs Technion-Cornell Institute at Cornell Tech.