Authentication
Authentication has a complex history of evolving to meet our security needs and expectations.
At Sparkbytes (the business I run), auth is an important part of our development workflow, but it is also a four letter word. It’s one of those cursed thing that is supposed to protect the things we hold close but somehow can be so difficult to work with.
There’s a saying in the cybersecurity world, with many variations:
“You can have security, simplicity, or usability—pick any two.”
The same is true for the CIA triad: Confidentiality, Integrity and Availability. Security experts are always balancing the three depending on the needs of the business.
Here's the irony: In trying to make authentication simpler for everyday users, the security industry has actually made it more complex and difficult to do the basic things we want to do.
Now, it is nice the industry is trying. Google Chrome has finally started encrypted passwords saved to Google Chrome and allows on-device encryption, but this started in 2022.
Apple has also introduced a more unified approach to password management with their new Passwords app. This centralized solution for password sharing was only released this year, so it’s likely not gained quite the level of widespread adoption and use industry experts have wanted, but it still complements their existing Keychain system and is an improvement to general security.
But while the security industry marches forward, they have continued to make it more complicated. Lets take a look at what I mean, and how the security industry has morphed for better or worse. I’m not diving deep into the types of security, algorithms, encryption methods, zero trust, etc., just the basic, consumer level interactions we’ve decided are the best ways to secure things.
Security??
The industry first started with who needs security. Very noble of the industry to believe in the altruism of the world, that no bad thing could happen online. Honestly kinda surprising that the industry took this approach from the beginning, being that bad and smart people would figure out ways to take advantage of the system toot sweet.
Username & Password
The next thing the industry implemented was a username and password. It was generally better as both the username and password could be randomized. Not that many DID but at least there was some basic variability in the system we chose, maybe making it difficult for bad actors to gather credential dumps and use variations to access other accounts.
Email & Password
Next, because businesses wanted a way to communicate with their users, we morphed to using the email instead of a username. The variability of a different username now went away, and now it made it easier for bad actors to not only have a verified email address, but also be able to connect unique usernames with passwords they may have found in data breaches. Some accounts still require a unique username that is now linked to a password. It bad actors to have PII in the form of first.last name in email address, verified contact for the user, potentially a username to see if other connections to that user could be made, and now a password which may or may not be varied for other accounts.
Username & Password & 2FA Text/Email
So now the industry added a level. We now have usernames, emails, passwords, and a text/email 2FA code. These were good, because it allowed for a “second factor” authentication, but didn’t help when the general user was so tired of adding layers of security, they would set the same password to their email as they did every single app they signed on, allowing bad actors to gain access with just a minor speed bump of having to gain access to the users email in addition to the service they wanted access to, like a bank account.
Text’s are still marginally better, but can still be breached by port-out scams, text rerouting via SS7, device malware, and other attack vectors and are generally not considered a safe method of providing codes.
Username & Password & 2FA Text/Email & TOTP Codes
So the industry created another system. To me, this has been better security, but some of the worst implementation across the industry.
A user now has to know their username, password, sometimes get a verification in their email or text, then provide a TOTP code based on a scanned QR code when/if the user decides to set it up. It’s once again optional because people just want to access their account and get going, not be wrapped up preparing “for an accident that won’t happen to me”.
The problem is, the industry hasn’t decided on a single method to provide the TOTP codes, from Yubikey, to Microsoft Authenticator, to Adobe Authenticator, to Authy, and a bunch of others. Sometimes they are cross compatible, others (like Microsoft Authenticator) are not. It just adds to the confusion people have when setting up secure methods.
Why can’t I use Authy for Microsoft codes, why do I have to download another app for one single service? I just won’t bother setting it up because it’s too difficult.
It now makes logging in a chore rather than a feature. I get it. It’s supposed to be more secure. But in reality, we tell Grandma to set up 2FA and they are like huh? Then it’s this 15 step process to set it up and another 5 step process to login each time. Most people just ignore it and YOLO it, then get mad at the service provider for not keeping their data secure.
Oh, and you also have to remind the users to grab their backup codes because if you lose that, good luck getting back into the account. But first you have to describe what a backup code IS and why it’s important. The amount of people I’ve described this to and lose them half way through is incredibly high.
As a security professional, I remember to grab these codes, but give it to anyone else, and they are clicking Next, Next, Finish as fast as possible because they want to watch their damn TV show and don’t care about a bunch of random letters and numbers that pop up on the screen. They don’t care.
Username & Password & 2FA Text/Email & Rolling Code & Passkey
So where is the industry going next to simplify? We are headed to Passkeys. This is great. So much better, right?
Well kinda, but you have to set it up. Every service provider from Chrome, to 1Password, to Safari, wants you to store the passkey in their proprietary system, which is fine if you have a good security sense and secure best practices, not using whatever pops up and asks you to save the key, but many people just want the new box to go away and let them into the service, saving passkeys on a device that may not be theirs, or not understanding what passkeys are and why they can’t just sign in using a username and password like every other service.
You also need a username and password or 2FA code to set that up initially too (at lest for now), so now initial setup has so many additional sometimes optional security steps, most people just ignore them like they did the Next, Next, Finish when installing software.
The end goal, based on a post by Google:
To sign into a website or app on your phone, you just unlock your phone — your account won’t need a password anymore. Or if you’re trying to sign into a website on your computer, you just need your phone nearby and you’ll be prompted to unlock your phone — which will then grant you access on your computer.
This is the future I’m excited for. But we are a ways from this becoming reality. Especially since some of the biggest banks are still heavily invested in text 2FA codes, even though the industry has moved way past that already.
With secure enclaves making this technology ever-evolving it will be exciting to see a truly passwordless future. If we can implement it in a way where it reduces the friction to login, not increase it.
The Biggest Risk
Security always requires three components as part of the factors of authentication:
“Something you know, something you have, something you are.”
I see the biggest risk for this evolving technology is its fallbacks. It’s typically something you know, because you can lose something you have and currently, something you are requires something you know to be able to set that feature up.
The irony of actually remembering “something you know” is not lost on me, being that the biggest IT requests are usually resetting forgotten passwords… but I digress.
Every person, no matter how hard security professionals try to secure a piece of tech, will lose a device, lose a key, lose whatever method security professionals create to secure a product. Right now the fallback is the username & password + whatever 2FA key we’ve created which cannot be device specific, usually texted 2FA code.
Bad actors will try to continue to gain access to these less secure methods. Whether it’s through phishing or device compromise, whatever is the least secure method, there will be an attempt to access via that method.
But the industry is steadily removing the requirement of “what we know” because its the easiest to guess and the hardest to be unique.
The industry is making strides in securing our data. Us being the last line of defense is a good thing. We don’t have to worry as much if the technology thats been implemented is secure. The more unique and simple security experts can make the “something you know” attached to something you have and something you are the easier it is for us continue to create something you now don’t know, making it more difficult for bad actors to sus the information out of you, and more likely they will find other attack vectors that are easier to gain access. I just hope it picks up the pace and removes these less secure methods before we have to deal with further evolving technology, like AI and it’s impact on security.
Comments