Whether they use passwords or biometrics, many security processes have weaknesses of their own. New protection concepts are necessary and some developments sound very promising.
In the first six months of this year alone, according to US news magazine Forbes, 4.1 billion datasets with user data were stolen.. 65% of them also contained passwords. This meant that equally as many users had to think up a new password. And a lot of them are not especially creative: Topping the list of favourite passwords is the number sequence 123456 or the word “password”. This is despite the fact that there are various tools available to help users choose a secure password, from small cards that suggest a different character for each letter to sophisticated password generators that are meanwhile included in many software programmes. However, most users are overwhelmed by the increasing number of passwords necessary. One solution is offered by “password safes”, which store access data in an encrypted database protected by a master password. But some of these programmes have their own security flaws. Security is therefore completely dependent on choosing a suitable product, which is why researchers are looking for alternative solutions.
Initially, it seemed that biometric processes offered a simple method. A smartphone can be unlocked with a fingerprint or facial image, and doors can be opened with a hand vein or iris scanner. However, the security of these methods has meanwhile come under fire. Years ago, the Chaos Computer Club used forensic methods to take a fingerprint from a glass and produce a replica that could unlock a smartphone, for example. Likewise, contact lenses have been used to produce imitation irises or photos used for facial recognition. Recently, a security specialist showed how you can use relatively simple methods to trick hand vein scanners.
In this context, users have another problem: If these personal characteristics are stolen they cannot simply be replaced like a password. As an alarming investigation by Bavarian broadcaster Bayrischer Rundfunk showed, there are already several million biometric datasets in circulation. They often come from the data collections of public agencies that capture this data for identification documents. IS terrorists have already used such data to create false identities.
Two-factor authentication and FIDO2
Highly popular at the moment is two-factor authentication, where another identification factor is required in addition to a password. However, this second factor has to be input via a different device, e.g. a smartphone that a code or PIN is sent to. The principle is to associate something that the user knows and something that they need to have in their possession. However, many users find this process too complicated.
A high level of security plus ease of use is offered by the USB keys or smart cards often used in large companies. These hardware tokens can be combined particularly effectively with the promising new internet standard FIDO2 (Fast IDentity Online 2). FIDO2 is designed to offer a secure and user-friendly authentication process as well as ensure the anonymity of the user, because when they log on, no personal data is stored on the device. This standard was developed in collaboration between companies such as Google, Microsoft, Facebook, Amazon, Paypal, Visa and Mastercard and the World Wide Web Consortium, which is likely to ensure that it is widely accepted. Users can already try out this new process on the website webauthn.io. In future, users will then probably carry a token on their keyring that they can then use everywhere to log on online. However, it is important not to lose this token as misuse could not be ruled out.
Until secure alternatives have become established, it is recommended to review the security of your own access data following a data breach. There are various options available on the internet such as the Identity Leak Checker from the Hasso Plattner Institute or the web service HaveIBeenPwned, where can use your email address to find out whether an associated password is in circulation. Such passwords need to be regarded as ‘burned’, because they are usually offered at low cost on the dark net.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.