Broken “keychain” shows futility of single-factor authentication
Security professionals understand that some of the largest challenges they face every day are human nature and the behaviors of their own user base.
As we’ve discussed in previous posts, good cyber hygiene still eludes a majority of users. Within the enterprise, strong passwords are often eschewed for ones that are easy to remember. And organizations that require strong passwords ultimately succeed as their end users choose one, difficult password and use it across all of their accounts – or that they just add a few extra characters to an easy to remember password and use this repeatedly for other things internal and external to their company.
Let’s face it, these behaviors are more convenient for people and the resulting passwords aren’t as hard to remember in a pinch, when they’re needed. It’s this human nature that has led to many security professionals embracing password managers. And it’s completely understandable why they would do so.
Password managers are secure software solutions that store and manage a user’s digital credentials for easy and safe access to online accounts. They effectively remember a user’s credentials for them, making it easier for end users to embrace a password more complicated than, “123456,” because they’ll never have to enter it in manually. This makes better cyber hygiene and strong passwords more accessible and attractive to the masses.
Password managers hold so much promise for enabling better security, that Tim Ferrill of InfoWorld praised them in a recent article. In a June 17, 2015 piece entitled, “Review: The best password managers for PCs, Macs, and mobile devices,” Tim wrote the following:
“One of the smarter moves we can make to protect ourselves is to use a password manager. It’s one of the easiest too. A password manager won’t shield you against Heartbleed or the NSA, but it’s an excellent first step in securing your identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you.”
The timing of that article was unfortunate, because that very same day, a vulnerability was discovered in Apple’s operating system, leaving all Apple users that were storing their passwords in the keychain password manager vulnerable to having them stolen and exploited.
The vulnerability was discovered by a team of university researchers – many from Indiana University and the Georgia Institute of Technology – and announced in a report entitled, “Unauthorized Cross-App Resource Access on MAC OS X and iOS.” According to the report:
“Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps’ sensitive data. More specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote.”
This vulnerability – and the recent breach of keychain, LastPass and other password management solutions – shows that securing our online accounts via single-factor authentication with a password and username is just not enough today. Could it be that password managers are simply lipstick on the pig – making it so that this old-fashion approach to security can be made incrementally stronger and easier to use? Unfortunately, they don’t really make the user any safer.
Password managers aren’t necessarily adding any additional factors to the authentication process and in some cases credentials are being propagated to other devices. They offer secure convenience – but how secure? If the master or a distributed copy of these credentials are compromised or the password manager company, themselves, is breached – those compromised credentials can be used to give bad actors access to any compromised user’s accounts – from bank accounts to email accounts – and, in turn, an almost unlimited amount of information about the end user.
What we really need, to ensure the security of all of our digital accounts (personal, professional, and purchaser personas) and our most critical information within these accounts, is a paradigm shift away from the reliance on traditional authentication and passwords. Instead, we need to think differently about how we secure and authenticate our accounts.
We need to authenticate our identities in ways other than simple and convenient – and we need more than just one or two factors along with secure password databases to ensure that the discovery of some personal information, through clouded channels doesn’t immediately equal compromised accounts.
We must think about digital authentication holistically in a way that introduces location, intent, and persistence in addition to a multifactor approach – across our infrastructure and the many devices we use. Wrap this approach with a completely out-of-band process that eliminates a wider range of attack vectors. Lastly we absolutely need to make all this easy to use because – as we’ve seen with passwords and cyber hygiene – making authentication easy to use can make all the difference between security that is strong and adhered with and security that is strong, under used or ignored.
All of this – together – can give users the convenience they desire along with a much more hardened fortress – not only addressing the outside of the fort, but inside the walls of the fort, and even the unknown vulnerable attack vectors.