Posted by: Eric Hansen
For years upon years now people have been using passwords to authenticate themselves. However, the time has come for there to be a new contender. While I do not have the magic answer as to how to solve this issue, I do have my reasons for researching this topic.
Take for example password storage programs which use a “secure” manner, which is fine, to an extend. But, the thought process against this for me is that how is it any more secure than writing your password on a Post-It note and putting it into a locked cabinet? For example, say you have a list of passwords in your home directory with rwx permissions for user only. You take that file and encrypt it using GPG, which is wonderful. However, what if you forget the passphrase to your file (i.e.: lose the cabinet key)?
There’s the other side too of just remembering passwords. This is fine, but most people tend to associate passwords that they remember with things about them. If you like elephants, for example, there’s a chance that the password would contain the word “elephant” somewhere, even if it’s obfuscated using “l337″ or something. Obfuscation isn’t secure, it’s a false sense of security.
While talking with one of my friends, they brought up the defense of using smartphones, SMS, etc… While smartphones are rising sharply in popularity, not everyone does have or want one. A good example is my fiance, who sees no point in carrying around a computer in her pocket when all she needs a phone for is texting and calling. She doesn’t go on Facebook or anything much. So right there you’re alienating your audience. Same goes for relying on SMS or some other method. While they are wonderful options for a 2-factor authentication implementation, it should be provided as a tier-2 option basically.
In typing this article I even had a thought of using a “secret question”, like the ones most websites use in order for you to reset your password. This also, though, and even worse so than using passwords is dangerous as it’s more personal to the user than any method discussed so far.
An interesting idea though, would be to use a token (i.e.: an RSA token) that acts as a signature validator of sorts. I.e.: you plug it into the computer, a device driver reads it, and authenticates the user that way. However, again, the safest method as it stands right now is to implement this in a 2-factor authentication, but only as a tier-2 method. Most people put these tokens on their keychains, and keys tend to get lost or misplaced. If you lose that token, you can’t log in. If someone gets it from you, they can log in as you. While I personally like this method, short of embedding a USB device into someone, it’s not very feasible right now for a single authentication method.
A lot of ways we log in to systems these days are fine as a 2-tier system, but none of them actually provide security, they just create an additional layer of safety to your account.