It doesn’t matter whether you want to access your router, initiate a wire transfer, order a book, access your email or upload a photo—you need to authenticate with at least a password before you can do so.
And most password systems create a wrong sense of security.
Passwords are difficult.
Now think about your standard web service. When you created your account, they probably asked you to create a “secure” password, which is almost impossible because:
- It’s hard to remember a different password for each account, users often have one or only a few passwords that they use for all services, which compromises multiple accounts when one password leaks.
- Password rules differ widely (2 special characters here, capital letters there, no punctuation at another site) and are designed to make it hard for humans but easy for computers.
Passwords are open.
Of course, web services know that it’s impossible to remember all passwords, and that’s why they offer you an easy way to reset your password. Just click on the “forgot password” button, click on the link that they send to your email, and change your password.
Sounds easy, but it also makes any of your accounts no more secure than your email inbox!
And it gets even worse: The only information needed to change your password is sent over a medium that’s open like a postcard!
Maybe you use an encrypted connection to retrieve your email from your email provider (like Google, Yahoo or your company’s web server) but you have no control about how it got there, about which servers it traveled or whether the connections between them were encrypted or not. The opportunities for eavesdropping are virtually endless.
Why make it so complicated?
If passwords don’t really add to security anyway, can’t we just get rid of them? In fact, we can—by using one-time access tokens.
How it works is pretty simple: The system then sends a one-time token to your cell phone number (which was provided during sign-up)1. Entering this token grants access to the system.
This has a couple of benefits: The user doesn’t have to worry about finding a long and secure password, they don’t even have to remember a password at all. Even better: if an attacker gets to know one of the user’s access tokens, it’s useless to them because it cannot be used again.
[1] An alternative solution is to have a key generator (either as a software on your phone, e.g. Authy or Google Authenticator, or as hardware, e.g. RSA SecurId or YubiKey) which generates one-time codes which can only be used for 20 seconds after they’re issued and expire forever thereafter.
No comments:
Post a Comment