Secure Authentication Protocols Move to Center Stage; Still More Work to be Done
After years being on the margins of data security, authentication appears to be finally getting the attention it deserves. Once viewed as the province of tech workers with fobs and tokens dangling on their lanyards, authentication tools and protocols are becoming more seamlessly integrated into products and online services.
Over the last couple of year or so, companies like Google and Facebook have attempted to up the level of security provided to their users by offering the option of an additional layer of identity verification through passcodes sent via text message, or device verification via physical location. Last week, Glen Fleishman, senior contributor at Macworld reported that Apple was now joining the 2FA (two factor authentication) movement.
In its most recent update – issued by invitation only – Apple is strongly encouraging users to move from two-step verification at sign-in to a two factor authentication. Apple users “running the latest major OS release and the latest iTunes on every device connected to the same iCloud account” can, when invited, start using the new 2FA protocol. Similar to the option to enable two factor authentication in the Google-verse, those who opt-in will have to enter a “confirmation code from another piece of equipment [they’ve] established is under [their] control” such as a computer or mobile device. An added benefit is the ability to add multiple devices to the authentication/verification protocol to simplify usage patterns. Users are alerted if access is attempted and can deny access with a simple tap of the screen.
While this is certainly a step in the right direction to user-friendly data security in that a “second factor prevents someone from stealing or guessing” a password in a simple user name/password setup, it is still more security theater than security actuality. Keeping secondary authentication in band , or connected to a mobile phone’s SMS functionality still leaves a user open to a host of vulnerabilities from man in the middle exploits to Trojan attacks. Some other items that caught my eye as areas for improvement are: lack of alerting, the removal of the Recovery Key, the ability to store app passwords in plain text. Though I will say that Apple’s refusal to compromise on strong passwords gains major points, as does the audit trail for the password storage function and automatic wipe mechanism.
It seems as though for the steps we take forward in developing a genuine culture of data security for our online activities we are still intent on tripping over ourselves with complexity. From tokens that get lost, to protocols that if they fail require waiting up to a week to restore an account just don’t make security seem like a good investment for most users.
Solving this conundrum is the next big challenge for the data security industry. So let’s get a move on!