When someone gets hacked, most people think it looks like a scene from… well, the Hackers. Lots of typing, encryption cracking, mad random-code-typing skills. But the truth is much more boring and much scarier for companies – most attacks exploit human errors, not system flaws.
As Shift on the Road took to Seattle and San Francisco, the digital giants of the USA, Julia Biro, Infobip’s Developer Relations Team Lead, tackled this topic on stage.
Before diving into how authentication and authorization methods fall short, let’s first make sure we know the difference between the two. Authentication is checking that you are who you say you are. Then there’s authorization, which is checking whether you have permission to access whatever resources or information you’re trying to get.
Two-factor authentication (2FA) and Multi-factor authentication (MFA) are industry standards, whether you’re trying to log into your social media accounts or access super secret plans to take over the world. They have something in common, and that is the factor part, Julia points out:
The factor is just a piece of evidence used to prove that you are who you say you are.
This evidence can come in several forms. It can be something you know, like a PIN, password, or passphrase. It can also be something you own, like your phone. Lastly, it can be something inherently yours, like a fingerprint. Knowledge, the oldest way factor of authentication, remains the most popular one to date and in most cases, it’s just passwords:
I’m going to say it flat out. In most cases, your password does not matter at all.
Brute forcing an eight-character password takes about a day
The five most common hacking techniques are credential stuffing, phishing, keystroke logging, local discovery, and extortion. With any of those, the strength of your password doesn’t even matter, because the attacker already has access to your password.
The only two instances when password strength proves to be of service are during a password spray attack and brute forcing. The former is the practice of getting a large set of very common passwords and testing them against a list of email addresses or user names. The latter means that someone is spending time and resources trying to get into your account by guessing your personal password.
This is when being prudent and using a longer password proves to be a good choice:
Brute forcing an eight-character password takes about a day with modern technology. The good news is that every time you add a character to your password, the complexity of the process increases significantly. It takes one day to hack an eight-character password, three months to hack a nine-character password, and ten years to hack a ten-character password.
The best practice is, of course, to use a different password for every account you have and not to save it to your browser. Here’s the kicker – most people know that, but simply don’t care:
LastPass did a survey, and 59% of the users reused passwords multiple times. 91% of them were aware of the risks and did it anyway.
Why is 2FA via SMS evil?
2FA definitely provides an added layer of security – if implemented correctly. It is convenient and has dev-friendly APIs and SDKs, but it does have some shortcomings, and they usually come in the form of network providers:
The point of failure is the human working for your phone network provider. The most common type of fraud in the UK is calling the network provider and porting a user’s number.
Other common hacks are the interception of an SMS, phishing via SMS, faking to be a network provider, and then redirecting SMS. People do not know that a phone number is not in fact a unique ID.
Another important thing to note is that 2FA via SMS is not the same as password reset via SMS, even though they often come bundled as a service. When you reset your password with an SMS you are not protected. There was even a study that proves how password reset via SMS gives a false sense of security. So, why do we still use it? In a way, 2FA via SMS is to blame. It is more affordable and widely available, but it sets up the infrastructure for a password reset via SMS:
Companies usually enable both because they don’t know the difference or they just don’t care.
This is where Julia sees an opportunity to make a difference when designing applications and building authentication processes.
Is security a losing battle then? Spoiler: Not quite.
So what’s the hot take from Julia’s talk?
It is always the human that fails.
We can engineer the perfect applications with the ideal authentication flow, but the human factor always fails, concludes Julia. People will usually choose the protection which offers the least resistance and that almost always means weaker security. Some people will lock their life savings behind a password that has their partner’s name in it, or maybe an anniversary:
So I don’t know where we went wrong, but I think it is on us to catch up to what we do in real life and deploy risk-based authentication, which is the happy middle ground.
Risk-based authentication uses real-time intelligence to gain a holistic view of the context behind each login. It analyzes factors such as device, location, network, and sensitivity of the information you are trying to get.
There must be a way to balance a decent user experience while providing an appropriate security level. That space represents a place where great innovation can happen.