Thoughts on Systems

Emil Sit

Aug 10, 2008 - 4 minute read - Technology authentication bruce schneier cookies e-mail encryption FastMail GMail ING Kim Cameron openid password randall stross security session Vanguard

Improving web authentication

You use passwords, possibly dozens of passwords, to authenticate to websites daily. Passwords are a useful authentication tool because they function as a “thing-you-know” (a shared secret between you and the server) and because passwords can be changed (in case of loss, unlike say, your fingerprints).

In a diatribe against OpenID titled, “Goodbye, Passwords. You aren’t a good defense”, Randall Stross argues (?) that the time for passwords has gone and (password-based) single sign on systems like OpenID are not going to fly. Let’s ignore the fact that while he claims “no security expert [he] could reach” thought passwords were a good idea, he names no actual experts in his column—could he not, for example, get a comment from Bruce Schneier, who has written extensively about the subject? By ignoring that, we would be less likely to conclude that perhaps that his column is just a front piece fed to him by the source he does cite, Kim Cameron. (The OpenID blog contains a somewhat more objective defense of the issue.) OpenID is still a long way from mainstream, however, and a site can do many things to improve their authentication security without it.

Session management allows users to participate in detection of password theft. For example, Google Mail now lets you manage authenticated sessions. Not only does GMail now explicitly inform you when and from where your account has been accessed recently (which many banking websites do as well and Unix login has done for years), it also lets you explicitly log-out those other sessions. This is great news for detecting and then dealing with password compromises. Google Mail also added a setting to ensure that your mail itself always goes over an encrypted connection. This lets you trade-off between the computational overhead of secrecy via encryption and performance—for users, the computational overhead of a single SSL connection is minimal and easily amortized over a day-long GMail connection.

Google’s approaches, however, still rely on your password. What if you are at an Internet cafĂ© and want to check your e-mail but not risk losing the password that protects your AdSense account? FastMail has the solution: One-time and SMS passwords. This is a brilliant feature that I am surprised is not more widely available. Basically, FastMail offers a variety of options for generating temporary, disposable passwords. You can pre-create a list of single-use passwords that you keep safely in your wallet: even if the password is captured by a key-logger or shoulder-surfer, it can never be used again to authenticate you. You can also create, on-demand, a single-use password that is sent via SMS to your cellphone. These are great ways to protect your account while still being able to access it from anywhere.

Any web system must also deal with the inevitable forgotten password. ING Direct demonstrates how this can be handled efficiently and safely. Instead of the moronic question/answer systems that demand that you remember exact, case-sensitive answers to short answer questions, ING appears to ask you specific questions about your current billing address, and then some things from your credit report (like where you used to live or work). I remember the addresses of places I used to live and work; I can’t remember if I used to own a Subaru or an Outback. ING often feeds you wrong information to clue you in to a potential problem—enter an invalid saver ID and it will happily make up a name for you that’s not yours. And after jumping through these questions, you also have to prove access to a verified e-mail address. These are familiar, repeatable tasks that I feel work quite well.

Finally, the display of personalized phrases and images at login time help reduce the risk of phishing attacks, by authenticating the website to you. Yahoo! sets a cookie for this purpose, displaying text in a color of your choosing, for each computer you use—the browser policy of returning cookies only to the domains that set them ensures that you are connecting to the proper site. Vanguard and ING both link the custom image to your username. They trade-off the convenience of not having to worry about cookies on every computer for the potential risk of a man-in-the-middle attack. I’d imagine they’ve done the risk analysis studies to determine that this works out best.

It would greatly improve the security of most websites if they supported user session management, forced SSL, provided one-time passwords/SMS passwords, authenticated users using intelligent questions, and authenticated to users explicitly. While they may be foreign to users today, as they become more common and uniformly adopted, they will become as familiar as captchas but infinitely more useful.