Taking logon seriously

To a great extent, many of the challenges in information security boil down to human factors engineering. We tend to have got the security-convenience trade-off in infosec badly wrong. The computer password is a relic of the 1960s, devised by technicians, for technicians. If we look at traditional security, we see that people are universally habituated to good practices with keys and locks.

The terrible experience of Wired writer Mat Honan being hacked created one of those classic overnight infosec sensations. He’s become the poster boy for the movement to ‘kill the password’. His follow up post of that name was tweeted over two thousand times in two days.

Why are we so late to this realisation? Why haven’t we had proper belts-and-braces access security for our computers ever since the dawn of e-commerce? We all saw this coming — the digital economy would become the economy; the information superhighway would become more important than the asphalt one; our computing devices would become absolutely central to all we do.

It’s conspicuous to me that we have always secured our serious real world assets with proper keys. Our cars, houses, offices and sheds all have keys. Many of us would have been issued with special high security keys in the workplace. Cars these days have very serious keys indeed, with mechanical and electronic anti-copying design features. It’s all bog standard.

But for well over a decade now, cyber security advocates speak earnestly about Two Factor Authentication as if it’s something new and profound. And what’s worse, IT people have let the term Two Factor Authentication (which in my view necessarily entails a physical hardware device – something you will be aware of when you’ve lost it) become bastardised in various ways. People can talk of “Multi Factor Authentication” including Knowledge Based Authentication as if they’re equivalent to 2FA.

For a few extra bucks we could build proper physically keyed security into all our computers and networked devices. The ubiquity of contactless interfaces by Wi-Fi or NFC opens the way for a variety of radio frequency keys in different form factors for log on.

There’s something weird about the computing UX that has long created different standards for looking at the cyber world and the real world. A personal story illustrates the point. About nine years ago, I met with a big e-commerce platform provider that was experiencing a boom in fraud against the online merchants it was hosting. They wanted to offer their merchant tenants better security against hijackers. I suggested including a USB key for mutual authentication and strong digital signatures, but the notion of any physical token was rejected out of hand. They could not stomach the idea that the merchant might be inconvenienced in the event they misplaced their key. What an astonishing double standard! I asked them to imagine being a small business owner, who one day drives to the office to find they’ve left door key behind. What do you want to do? Have some magic protocol that opens the door for you, or do you put up with the reality of having to turn around and get your keys? Could they not see that softening the pain of losing one’s keys by creating magic remedies was going to compromise security?

We are universally habituated to physical keys and key rings. They offer a brilliant combination of usability and security. If we had comparably easy-to-use physical keys for accessing virtual assets, we could easily manage a suite of 10 or 15 or more distinct digital identities, just as we manage that many real world keys. Serious access security for our computers would be simple, if we just had the will to engineer our hardware properly.