#106: Security Briefing - Beyond Passwords

Continuing my mini-series on security, I want to follow on from last week's episode, taking a look beyond passwords.

We are rapidly moving to additional forms of proving our identity - be it something we KNOW, something we HAVE or something we ARE - and, possible more importantly, using multiple when doing so (MFA/ 2FA).

Or listen at:

Published: Wed, 27 Oct 2021 14:43:02 GMT


Hello, and welcome back to the Better ROI from Software Development podcast.

In this episode, I'm going to continue my mini-series on security briefings. In episode 103, I talked about the ever growing importance of cybersecurity, and in the last episode I introduced you to passwords and why they're so important.

In this episode, I want to continue the conversation on passwords or, more importantly, beyond passwords.

But before I get into that, I want to go back briefly to the last episode. In the episode, I talked about NIST advice about not forcing password reset. They found that forcing password resets produced unexpected, dysfunctional behaviour - such as easy to update passwords, such as adding a one to the end or writing them down.

Their recommendation was to move away from forcing people to change their password on a regular basis.

However, since that episode, it has been highlighted to me by a colleague that some governance programmes actually explicitly require user passwords to be changed. For example, they cited the PCI DSS requirements used for payment card processing, which explicitly requires that changes to user passwords happened at least every 90 days.

Not only is that a requirement, you're also getting audited on it.

So while my previous advice was very much consider the NIST guidance - in this case, I think we've probably got to take into account that if you're part of one of those governance structures, you have to follow that in the first instance.

While I have no doubt at some point the PCI rules will incorporate some of the NIST advice, at the moment you have to take what's in the governance and what's being audited so that you can continue to meet your commitments.

Okay, now I've covered that, let's get onto the episode proper.

So we all understand what passwords are, there are means of proving our identity. It's an easy way to do it and one that we've used for years. There's a lot of convenience around it because we know how it works.

But there are other ways of proving our identity.

Broadly speaking, there are three ways to identify ourselves.

What we KNOW, what we HAVE and what we ARE.

So in the KNOW category, what we KNOW is our password. Maybe we KNOW a pin number. Maybe we KNOW the answer to a security question.

What we HAVE are things like we HAVE a mobile phone, maybe we HAVE a key fob.

What we ARE are things like fingerprints, voice prints, face recognition.

And he was obviously seen a growing use of things like fingerprint readers and face recognition in mobile phones over the years.

But having only one form of identification is poor for security. As we talked about in the last episode, losing your password, you lose that and you lose your identity. And the same would be true if you lost one of those of assets, say, for example, your security and your identity was based on what you HAVE, maybe your mobile phone, if you lose that mobile phone, you've lost your identity.

And even things like fingerprints and face recognition, all of these are subject to ability for other people to fake those and pretend to be you.

Thus, having one single method of being able to prove your identity can be insecure.

To combat this, the best approach is to use more than one factor of authentication, so maybe have something that I KNOW and something that I HAVE to prove who I am. This is called multi-factor authentication, or MFA, may also be referred to as two factor authentication 2FA.

Two factor obviously means we're talking about two possible things. So one of the things I might KNOW and one thing that I might HAVE. Whereas multifactor doesn't just limit it to just two at a time, it could be three, four, potentially more factors, depending on how critical that system is and how much you want to protect it.

And you've probably seen this in use. Banks, for example, are starting to use a lot of multi-factor authentication. My business bank that I use now involves me typing in not just a password, but also using an app on my phone to confirm my identity. I'm having to pass a check on what I KNOW, in terms of my password, as well as what I HAVE, in terms of my mobile phone. Thus, if one of those items is lost to me, my password is stolen or my phone is lost, it cannot be used to gain access to my bank account. I need both to be able to prove my identity.

Another example, the HMRC for UK tax, to access their website I need both a password and I need them to send me an SMS text code.

Again, they're sending that to my mobile phone number, so again something I HAVE. Something I KNOW in terms of my password, something I HAVE in terms of the ability to receive that text message.

If we go back to episode 103 were we where talking about my car in a car park, multifactor authentication would be locking the doors AND setting an alarm. The more obstacle means more deterrence, more likely to put people off.

Security is often discussed as an onion, multilayered, the more layers we have, the more protected we should be.

Let's take an aside for a moment.

It's conventional wisdom that convenience is the enemy of security. If we want things to be convenient, we struggle to impose security. But the reverse is also true. Security is the enemy of convenience. By having multiple factors for authentication, I'm probably making it less convenient for me as a user to access those systems. I have to do multiple things to access those systems. Yes, those activities are making less convenient for me, but they are also increasing my security by making more inconvenient for the attacker.

Take that back to my car in the car park example, convenience for me would be to leave the car keys in the car and the car unlocked. I don't have to go and find my car keys. I don't have to lock it. But in the same sense, I have no security. Anybody can walk up to that car and take it.

It's now commonplace that multifactor authentication implementation is recommendation. It should really be provided by almost every website, every application you use.

Again, I'd like to take another aside at this point.

There's a certain belief there's a danger of using text SMS authentication. I talked earlier about when I use the HMRC tax site, it will text me a code that I need to use to enter in to access it. So I'll go to the website, put my username in. I'll put my password in. They will text me a code to enter as part of that log on process. That's that second means of authentication.

Now, there's a growing concern about SIM hijacking. If somebody is able to hijack my telephone number by hijacking my SIM card, they could receive those codes back to them. As such, they've got a better opportunity to be able to impersonate me when accessing things like the HMRC tax site.

My concern on this is that people overemphasise the danger of this.

Yes, SIM hijacking can happen.

Yes, it's more than possible to be able to convince a mobile phone provider, talking to their customer services for example, that I'm you and I've lost my phone, please set me up with another one.

There are plenty of examples in the press of this happening in high profile examples.

However, it's quite a lot of effort to go to and only likely to be used if it's being done in a targeted attack.

So as a means of being able to provide quick, easy second factor authentication to most people, I actually think texts and SMS is actually a good route. Most people aren't going to have their SIMs hijacked because of the effort involved to do it. Most people aren't interested in going after them. So certainly for me, while there are concerns over text and SMS and depending on how critical system is you're trying to protect, then you may want to reconsider it, but it's certainly better than having nothing.

It's certainly better than relying on a single authentication such as your password.

And it also comes with advantage that it's easy to use. So isn't difficult for people to start using it without training.

However, better still will be to use something like an authenticator app.

I use Microsoft Authenticator to access many of my Microsoft accounts, whether that be Office 365 or Microsoft Azure. So when I go to their website, I'll use my username. I provide my password. the authenticator app, on my app on my phone, will then prompted me to say "Is this you? Do you want to log in?". I can then approve or deny it. Thus, I have to KNOW my password and I have to HAVE my phone with the authenticator app on.

Authenticator apps are a little bit more complex. They might need a little bit more training, then text messages. Plus, of course, you have to install them on your phone and have them available. But provide a better level of security because they're not open to that same hijacking.

There are a number of authenticator apps out there. The Microsoft one is very much tailored to Microsoft software and certainly what I use it for. There's also one by Google and there's a variety of providers.

However, I like to recommend Authy. Authy is a authenticator app that will work with most systems and websites that provide authenticator access. Plus, you have the ability to back it up. You create an account with Authy and it will back up your set up to their cloud. So should you lose your phone, you can then reinstall the app and you've got the ability to use on your new phone, whereas things like Google Authenticator, that's not possible. Something to keep an eye on.

But again, this is why I talk about it being more complex than a simple text or SMS. It does require a bit more training and a bit more understanding.

From an implementation point of view, if you're running a website or some form of system that needs somebody to log, into implementing this stuff can be quite hard. Authentication is complex. If I'm honest, you are much better not to create your own.

You're much better to use a service. And there's a lot of services out there, such as Auth0, Okta, Azure B2C - there are many, many systems out there that can be used to create that level of authentication.

Most of them will have an ability to provide multiple factor authentication and allow an individual, your customer, to select which methods work best for them. Maybe they like a password, but they also want to have a text message, or maybe they want a password, but they'd much prefer to use authenticator application. Or maybe they use what's built into the phone in terms of things like fingerprint, voice print, face recognition.

These providers will come at a cost. There is a cost to you as an operator to use them. But as I say, authentication can be complex and it is changing and evolving over time.

And they will often come with additional features, such as maybe thinking about the location, the time of day, the behaviour of the client trying to access the systems.

So location, for example, maybe it's a B2B company that you're dealing with may be if they're in a physically secured office, you can have more confidence over them.

Maybe it's the time of day, are they outside of normal working hours? Is this a system you don't expect them to be using during those work hours?

Behaviour - does what is being done or being asked for this login deviate from their normal activity?

These factors can be used to increase or decrease to factors that can be used to then authenticate. So based on those factors, you may choose to have more than two levels of authentication or if you're confident in the location and the time of day and the behaviour, you may only ask for one form of authentication because effectively you've got that extra authentication - that extra levels, those extra factors - by knowing that it's a valid location, a valid time of time of day and a valid behaviour.

It gives you a lot more flexibility. A lot more ability to produce convenience where possible.

In this episode, I wanted to talk about beyond passwords.

Passwords have traditionally been the ubiquitous method of providing our identity. This is changing. We are seeing greater use of biometrics - what we ARE rather than what we KNOW.

But even then, for better security, we should be moving to multiple authentication using a combination of what we KNOW, what we HAVE, and what we ARE - all the time remembering that convenience is the enemy of security.

As a consumer, educate yourself and your staff on how to enable and use multifactor authentication.

As a provider, use a professional service rather than rolling your own. It's a complex topic to get right. And it's one that continues to involve. Educate your customers and your staff and provide help on the journey forwards.

Thank you for taking the time to listen to this podcast. I look forward to speaking to you again next week.