The Secret to Password Security Could Lie in Your Social Network

This is a great post from Mashable on password alternatives and social proofing of your identity through social media.

It’s midnight and you’re soothing your insomnia by purchasing a pair of shoes on a daily deals website. You click through to the checkout page only to find you can’t connect your PayPal account; you’ll have to input your credit card data manually and create a new username and password for this little-known site you’re not sure you’ll ever use again. So you roll your eyes and type in the same password you’ve used for PayPal, Amazon and a host of other shopping sites.

There’s a term for that feeling: password fatigue.

In a hackable world, password fatigue can have dire consequences. The difficulty of remembering dozens of unique and complex passwords leads us to make short, overly simple ones instead, or to use one password for a number of different websites. This can be devastating, if just one of these sites is hacked.

Forbes and Kickstarter are the latest high-profile websites to experience password breaches. Cyber security experts find it unsettling that, despite the sharp increase in hacking incidences, many websites have not added safeguards, such as multi-factor authentication to their login procedures.

Such behavior flies in the face of mounting evidence that passwords alone — even really good ones — cannot sufficiently protect us anymore.

The good news is that two-factor authentication can safeguard the majority of hacking targets, and soon, the precious personal data you’ve been sharing with your social network could help you ward off hackers, too.
“We’ve all been through the process of verifying ourselves to a bank on the phone or on the web, where you give your mom’s mother’s maiden name or the place you were born,” says Stephen Ufford, founder and CEO of Vancouver-based identity-verification platform Trulioo. “That information is from public records and it’s become a lot more easy to obtain these days because of the Internet.”

The solution to these “secret questions” could be to leverage social data, gleaned not only from Facebook and Twitter but from other mobile apps, that would be less readily accessible to hackers.

Facebook is already employing a form of this social verification: When you log in to the platform from an unknown computer, the site will ask you to identify the names and faces of several of your friends. That kind of data is much more secure than your mother’s maiden name; it would be difficult for a hacker half a world away to determine this information in the space of a few minutes.

Cyber security experts tend to agree that in the future, password security will rely on adding even more authentication factors to the mix. The methods by which multi-factor authentication will evolve, however, are disputed. Some see biometrics as a potentially secure method of password authentication (How could someone copy your heartbeat, after all?), while others advise extreme caution in moving forward with biometry.

“Your fingerprint says a lot more about you as an individual than your GPS location,” says Geoff Saunders, CEO of digital security startup LaunchKey. “Biometry is uniquely personal data that cannot be changed. What happens when that fingerprint gets released out into the public?” “Biometry is uniquely personal data that cannot be changed. What happens when that fingerprint gets released out into the public?”

Experts propose offering a host of authentication factors, from the current standard of unique codes sent via SMS to fingerprint- or voice-identification software. From there, users can pick and choose the measures that suit them best. This would also safeguard the user in case one authentication factor is breached.

“Every user will have a choice of maybe five or six options, and they can pick the one that’s comfortable or appropriate for that type of communication,” predicts Neal O’Farrell, executive director of The Identity Theft Council, a California-based group that works with local law enforcement to provide counseling to identity theft victims. “So for example, if you’re on a cellphone with poor reception, voice authentication might not work. A fingerprint might work there. Social verification might work there. That’s the only way we’re going to overcome consumer resistance to particular types of authentication.”

Social networks and the data contained within smartphones and mobile apps can also help with traditional identity vetting procedures, for instance when applying for a loan or for a passport online.

“A lot of the traditional means of establishing identity don’t work for every segment of the population,” says Jeremy Grant of the National Strategy for Trusted Identities in Cyberspace (NSTIC). “Picture your classic 18-year-old, who might need to be identity-proofed but doesn’t have a credit card, doesn’t have a cellphone in their own name — not a lot out there in terms of history to score. But they might have a Twitter or Facebook account with several hundred friends.”

Grant cautions that social networks cannot be the ultimate authority in identity vetting or bolstering password security, but that they can act as one factor in a layered identity-proofing process. “There are new data points about people online that may be helpful in establishing the person is not just a made-up identity, and that they’re actually the person they claim to be,” he says.

Beyond Passwords
In 2004, AOL Inc. became the first major online business in the U.S. to embrace a second layer of password authentication, giving subscribers a matchbook-size device with a six-digit code that was required to access their accounts.
The future of social network verification sharply diverges into two separate paths: that of total anonymity or of total immersion in your data.

On the anonymity front, LaunchKey offers passwordless, multi-factor authentication software that doesn’t gather or store any of your personal data. Its authentication factors include a PIN or “combination” lock, as well as the ability to pair devices together — for example, making it impossible to log in to your work computer without also having your mobile phone nearby — and geo-fencing, which entails setting a geographical radius for logins. None of these relies on personal data beyond an individual’s location.

“We firmly believe that you can authenticate an individual without knowing anything personal about them,” “We firmly believe that you can authenticate an individual without knowing anything personal about them,” says Saunders.

LaunchKey is also experimenting with “social vouching” as a form of authentication, particularly in business settings. Essentially, this means having other people in your immediate surroundings confirm your identity when you attempt to access a device.

“There might not be anything stronger as a factor of authentication than someone vouching for someone else,” Saunders says. “Vouching can be done not just directly — meaning you ask me to vouch for you, and I do that — but can also be done passively. We can track where different devices are and have those devices communicate with each other to ensure that they maintain a proximity.”

The same sort of thing could theoretically be done with friends on social networks — an entirely unexplored territory, according to Grant and Saunders — although it may require too much of a sacrifice in terms of time and convenience.

Unlike LaunchKey, however, most enterprises are not in the business of preserving your anonymity. The data that your social networks and mobile apps are already gathering (tons and tons of it) can also be leveraged as an authentication system. The type of facial recognition technology that Facebook employs could potentially be used for interactions outside of a social network.

The benefit of leveraging social network data as a security measure, according to Ufford, is that security questions no longer have static, unchanging answers like your mother’s maiden name — and therefore are more difficult for a hacker to learn. “If you go to the gym all the time and you have five apps on your phone tracking your locations, it’s very conceivable that one of these questions would be, ‘Where do we normally find you at 7 a.m. on Tuesdays?’ ‘Where do we normally find you at 7 a.m. on Tuesdays?'” Ufford says. “That’s really hard for someone in Nigeria to know.”

The advantage lies in the dynamism of that information, Ufford explains. “If you move to New York from San Francisco, you might end up going to a new place, and that data can be changed.”

Despite living in a post-Edward Snowden world, many social network users continue to upload highly personal tidbits readily accessible not just to Facebook but, potentially, to government organizations. It’s a small concession, then, that all this data could potentially be used to protect you as well as incriminate you.

“One of the side effects [of social verification] should be that it’s going to reveal just how much companies like Facebook and Google gather about you and your circle, but most consumers won’t pay it a second thought,” says Farrell. “You’re willing to trade a little bit of privacy for a little more security. People will still make that trade-off.”

Read the full article at Mashable:

Leave a Reply