![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/08\/authentication-header1.jpeg\")
<\/p>\n<\/p>\n
Are we all sick of password security lessons yet? After all the discussion of recent security breaches and Mat Honan\u2019s iCloud account hack<\/a>, it seems like even mainstream media is all over the password security quandary. And a lot of the coverage seems pretty bleak. But it\u2019s not really as bad as all that, and there are actually some really interesting developments in this space that could drastically change authentication as we know it.<\/p>\n No security system, whether it\u2019s related to passwords or malware or data leakage or whatever other hot new piece of technology du jour is, will protect you 100%. More and more, humans are the weak link in the chain. You could build a totally indestructible robot army to protect you, but if you hand over the remote control, that army can be turned right around to destroy you. And people are handing over that remote control<\/a> way too often.<\/p>\n So, what do we do in light of this imperfect situation? We use layers of security to try to eliminate the number of holes that it\u2019s possible for intruders to squeeze through; each successive layer should help cover up places where other layers are weak. We can also try to make our security just a little bit better than that next guy, because criminals will always go for the biggest return on their effort. We want to make ourselves an unattractive target, comparatively speaking.<\/p>\n Honan\u2019s hack was a vivid example of aligning all sorts of security holes that allowed attackers to crash a Mack Truck into his digital life. There were a couple of the four lessons we covered<\/a> that would have easily stopped this alignment. The first was setting up two-factor authentication in Google \u2013 that was the first key element in the alignment. The second was how much work Honan did for them<\/em>, by linking so many of his accounts \u2013 they didn\u2019t have to align any more holes, because Honan had done it already.<\/p>\n Let\u2019s back up a bit first. There\u2019s commonly considered to be three types of things you can use to verify that you are who you say you are. By far the most common of these things revolves around \u201cwhat you know\u201d \u2013 that is usually something like a username and password that you have chosen to remember. The other two types are about \u201cwhat you have,\u201d such as a piece of hardware like a phone or a key fob, and \u201cwhat you are,\u201d such as a fingerprint scan.<\/p>\n One-factor authentication uses only one of these things to authenticate your identity. That doesn\u2019t mean there is only one thing you\u2019re entering to prove your identity. A good example of this is Secret Questions. You can have 10 questions about where you grew up or what your favorite car is or what your mom eats for breakfast, but if you are the one supplying the answer, it\u2019s all just single-factor authentication.<\/p>\n Multi-factor authentication involves two or more of the different types of authentication. Two-factor authentication is already used by a large number of financial institutions outside the US, particularly in Europe. Google and Facebook have both enabled two-factor authentication too. It won\u2019t be long until this is considered very commonplace on any sort of online service that stores your really important data.<\/p>\n The most common type of online two-factor authentication involves sending you a temporary key (to your phone, a dongle, an email address, etc.) that you will input along with your username and password. In the real world, having to input an ATM card and a PIN is another type of two-factor authentication. This is still not bulletproof, and it definitely increases the possibility of people being locked out of their accounts if you lose access to the thing that allows you to receive the temporary key. Some people are already saying that two-factor authentication has passed its prime as we’re already seeing it being breached<\/a>. So more and more organizations are now looking into three-factor identification.<\/p>\n The third type of authentication is still fairly uncommon in the online world. You will occasionally see a thumbprint scanner on a laptop, but I don\u2019t believe I\u2019ve seen this used by anyone in everyday life. I had a friend who worked for a major hardware manufacturer that issued computers that had keyboards with thumbprint scanners\u00a0to all its employees, and then they disabled the scanner on all of them. While one might think such a scanner would be fairly simple, apparently the technology ended up being sort of problematic. The value in terms of increasing their security wasn\u2019t equal to the cost of the support calls it generated for them.<\/p>\n If we\u2019re already seeing breaches in the most common two-factor authentication methods and that third factor doesn\u2019t seem to be ready for prime time, what are we supposed to do? There are a lot of people looking into that very question, and they\u2019re coming up with some very interesting and creative answers.<\/p>\n One of those answers is to come up with some other data that we could use to help identify ourselves. Besides what we know, what we have and what we are, we can also provide information about where<\/em> we are. This could be a WiFi base station, a GPS location, or an IP address, for instance.<\/p>\n This is not terribly specific information in most cases, as very few people use static IP addresses or stand in one spot while they’re using their mobile phones. But there are instances where this could be useful when you create a sort of profile out of users\u2019 behaviors.<\/p>\n Credit card companies do something like this when they look for patterns that indicate fraud: Have you ever had a credit card company call you to verify if it was actually you who made a purchase at Tiffany\u2019s in Arizona to send to Maryland, when you live in rural Iowa? It fails to meet the criteria for where and who you are if you\u2019ve never made purchases in either state or at Tiffany\u2019s. This example relies on a new view of what is considered \u201cwho you are.\u201d What makes us unique is not just visible in the physical sense, but also in the behavioral sense.<\/p>\n There has been a lot of research into privacy implications of retaining or mining people\u2019s surfing and searching habits. One such study<\/a> recently reiterated that our online behaviors are a pretty conclusive way to identify someone. Obviously this would have to be done very cautiously to get a balance of preserving privacy while maintaining accuracy. This may not be what\u2019s traditionally considered \u201cpersonally identifiable information<\/a>\u201d \u2013 it may not allow a hacker to take over your bank account or a stalker to find where you live, but it can be used to incriminate you in other ways.<\/p>\n All in all, what we\u2019re seeing in all these mainstream articles about the bleakness of password security is not news to those of us in the security industry. Computer security at this point is unbelievably complicated and it\u2019s very hard to boil that down into simple recommendations for average users. But there are some really cool things that are coming down the pipe that could make things much easier and perhaps even more convenient. Until then, we should all be vigilant about what security steps we can take.<\/p>\n","protected":false},"excerpt":{"rendered":" Are we all sick of password security lessons yet? After all the discussion of recent security breaches and Mat Honan\u2019s iCloud account hack, it seems like even mainstream media is all over the password security quandary. And a lot of the coverage seems pretty bleak. But it\u2019s not really as bad as all that, and […]<\/p>\n","protected":false},"author":6,"featured_media":35563,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[10,151],"tags":[351,353,325],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\nThe Imperfect Present Situation<\/h3>\n
So, What is Two-Factor Authentication?<\/h3>\n
Authentication for the Future<\/h3>\n