KISS – Keep It Secure, Stupid!
Since the beginning of days, Man, Woman, Beast, and even Plants, have shared one thing in common. The need and desire to salvage items around them to use as food, pleasure, and necessity. And with that came a need to secure these items for safe use in the future.
Arguably it may have been the first struggle that they shared alike as well. The struggle is no lesser today than it was at the dawn of time.
- How confident are you that the digital data, which makes up everything you were, you are today, and may be in the future, is transferred and stored securely?
- Do you feel safe with how you gain access to important parts of your life like financial information, health records, and email?
Consider this, your digital data, since the consumer-based computer was introduced on April 7, 1953 (IBM publicly introduced the 701), any information gathered about you boils down to two characters, a 1 and 0.
Known as binary within the computer world and when sequenced correctly, the story of your life unfolds like words on a page. But stop and take a minute to think about how it is we protect those items that are so important to our everyday lives.
The password was invented by Fernando J. Corbató, an American physicist in the 50’s. The design was out of necessity, not security.
Today, in 2022, the thread of information that holds safe our emails, financial records, and Grandmother’s famous cookie recipe is being threatened and is poised for implosion, taking many people’s digital identities with it.
Many are oblivious to this catastrophic possibility and few are prepared. Where will you stand?
It’s time we address the antiquated systems we use to secure this data.
Each year computers and technologies alike are being upgraded at light speed, redesigned to offer the fastest CPU, thinnest GPU, more memory, and the most important of them all, the measures by which we secure them from hackers, thieves, and extortionists, “Security” has been left in a state of suspended animation.
WHICH VERIFICATION IS RIGHT FOR YOU?
Since the adoption of the password, there have been very few innovations to match its effectiveness.
Unfortunately, hackers are becoming more skilled with each passing day and we have run out of time. If you are one of the millions that use the same password for all your accounts, I challenge you to find a solution to that vulnerability.
What are some solutions we have to choose from, let’s take a look….
- Password Authentication Protocol (PAP) – Simple user authentication protocol that sends an unencrypted password and username to the server in plain text and is the most vulnerable of all methods.
- Authentication Token – There are 2 groups, Hardware tokens and Software tokens represented here. A hardware token is a smart card or USB that is used to prove the identification of the user. A Software token is a token that resides on your device (computer, smartphone, or tablet) and serves as virtual proof of your identification. There is an instance that uses a browser for verification, known as a Deviceless MFA created by inWebo to verify identity as well.
- FIDO2 – This is the newest of all security protocols and is being recognized by all the big players as the best and most secure option, Apple, Microsoft, and Mastercard, just to name a few are backing this new method. There are 3 methods included with each key. One is U2 F T-Mobile, U2 F for USB, and passwordless, tokenless U2F, you can view these HERE. FIDO2 boasts a hardware key that includes options for strong single-factor (passwordless), strong Two-factor, and multi-factor authentication.
- Multi-Factor Authentication (MFA ) – This group can be split into 3 types.
- 2Fa – The user must supply identification twice and each must be different from the next, so it can be a password and a code to a smartphone in form of a 6-digit code or a code sent to email. Verification types vary from requesting party.
- MFA – Multi-factor Authentication is similar to 2FA, 2-3 types of verification are needed depending on the method and request from the party being contacted. . 2FA is a form of MFA but not every MFA is 2FA. A bit confusing the difference but you’ll learn in time the difference.
- MFA – Adaptive Multi-Factor Authentication (OKTA)- This method is based on MFA but allows for more contextual information to be used, rules set by the business, and uses the device to be recognized as a part of the verifications process as an example. Requirements and rules can be different for every end-user. This method is used to make the experience of verification less rigid and more personalized to reduce the burden on the user.
- Biometric Authentication (Fingerprint and Facial Recognition)– Verification is simply resolved by using the user’s face or fingerprint which has been stored prior to use to serve as authentication.
- Certificate-based Authentication (CBA)– Very simple in that it uses digital certificates to prove identity, that identity can be a device, single user, or a network to give a few examples.
- Symmetric-Key Authentication – Possibly the lesser known to the consumer-based user, this method uses the same key for decryption and encryption. It is usually but not limited to larger amounts of data to be stored.
THE TAKEAWAY
So that seems like a tangled mess of choices and there seem to be a lot of them.
The number of distinctively different options that are based on different algorithms is few, though. I understand, it seems very confusing. Based on what type of consumer you are and your experience in this field it absolutely can be.
Let me try to break it down as simply as possible for you so you can make a decision more confidently and with ease.
If you are not a business but just a single user, i.e., consumer level, your best options are going to be an authentication token in the form of a hardware key which can be found at Yubico (any model will be great but the FIDO2 is the King) and Googles Titan hardware key.
You can also use software tokens but are a little less secure than the hardware key, and if you lose your device or it crashes, well I hope you have a backup. If you do not want to purchase a hardware key you can use multi-factor authentication.
Security is still better than password authentication. However, keep in mind that at its core it is nothing more than password authentication that requires 2-3 verifications instead of just one.
With that being said there are instances where hackers have had no problem getting through the two or three requirements to gain access to an account.
Certificate-based authentication would be an option as well, however not widely used by many as far as I can see.
As for biometrics, there’s a place in the security field for this technology, how it fits in with users logging in over a computer, smartphone, or tablet as a secure option I cannot say. Some have questioned its effectiveness if the source of the verification is stored on the user’s computer, making it a file that could be exfiltrated by hackers.
If you are a business and you are looking to up your game on a secure login method some questions need to be answered.
What is the size of your employment pool and desired level of security?
I say this mostly for financial reasons, if a company cannot afford to purchase a hardware key for each employee and be prepared to replace if lost, then one of the MFA’s is going to be your most secure option.
If budget is not a deciding factor, then the FIDO2 hardware security key is your best bet.
Some businesses can use biometrics for some applications. An example would be doors that unlock with fingerprints or cameras installed to recognize employees’ faces. And if large amounts of data need to be stored securely the symmetric key authentication is a great option.
Just keep in mind that you are putting that information on one piece of hardware and that one piece of hardware is used for encryption and decryption, so if lost it could pose a serious security risk.
Biometrics in the workplace could have a strong possibility of being a great long-term cost-effective option in certain scenarios but would need to be offered at each workstation as well.
LAST WORDS
With all that being said if you look at all the options and break them down there are still very few options. The available options share similarities and are not too different from one another.
For example, the multi-factor authentication process requires either two or three verifications of identification. So that makes it 2 to 3 times harder to compromise than if you’re just using one password.
If you’re using 2FA it’s only twice as difficult to compromise than one password. The original one password authentication, is well, by all means, antiquated, not secure, and by most in the field considered a relic or dinosaur of login security.
Then there is the unique hardware key which, in my opinion, offers the highest level of security.
I have 4 hardware keys that I use, one set of keys travels with me everywhere I go, and is one key works with the computer, while the other key compatible with Apples lightning connector. The other set is for home or office use.
The reason I possess 4 is so I have a backup of each key. This is highly recommended to have a backup. The downside as of current is that not every website is taking advantage of hardware keys.
If my opinion were to drive your decision, I would say the hardware key is a clear choice.
When I sign into my Gmail account, I’m required to give my password and enter my key, making it 2FA-level security. I am currently studying network security and penetration testing, I share this because I have proof that both MFA and 2FA can be cracked, it just takes a bit longer.
They are still good choices, just more vulnerable than most may lead you to believe.
The other protocols are suitable but more specialized in their compatibility, use, and offerings by businesses.
Whatever your choice for security is now or in the future, please just remember that eventually, everything becomes vulnerable and that if a security protocol was created by a computer, it can be hacked by a computer. There’s nothing foolproof, and the security industry will forever be chasing the next safest, more secure answer for our future.
Do not stall in making a decision based on the options that are available today. Each one of these can come with its own learning curve.
And I would suggest being one of the first to adopt this change as the changes to password security are inevitable and right around the corner.
As the end-user of these technologies, it is your safety and security that are at risk, so feel free and please contact your favorite business and websites to demand they offer more security and as many options as possible.
Remember, it is your information that they hold and it is their products that you buy. A certain level of security above what is currently being used is absolutely needed and required.