All Hail The Death Of Usernames And Passwords
Brian Spector, CEO of cloud security vendor CertiVox, says the traditional user login is gasping its last breath
You can tell that this title wasn’t written by my PR people. Apparently, the association with notions of death represents a “reputational risk.” Well, thanks guys, but I’m sticking to my guns on this one, because the Internet is about to witness a demise so decisive that death is the only appropriate word for it.
I’m not talking some Lehman-style corporate collapse here, I’m talking about the end of the way we have interacted with transactional websites (and, indeed, the way cybercriminals have exploited them) for two decades or more. Ladies and gentlemen, I give you…. the username and the password. RIP guys.
At this point, you’re trying to work out if I’m misguided, a visionary, or just plain nuts. Usernames and passwords are such a fundamental part of our daily behaviour that nobody can seriously imagine them not being there. They are just too big to fail. Yeah, and so were the banks.
How logins ‘incite cybercrime’
In fact, username and password have failed already – and very publicly and embarrassingly. Just a few weeks ago, Yahoo, Nvidia, Billabong and others (and, a few weeks prior to that, LinkedIn) all admitted sheepishly to having usernames and passwords swiped from their sites by hackers, compromising thousands and thousands of user accounts.
I wrote about this in my blog at the time (http://privatesky.me/blog/). Websites the world over store their users’ username and password data in a file on the site itself. This means that these sites are a natural target for hackers, because all the really juicy stuff is in one place. Let’s be clear about this: the username/password model is positively inciting cybercrime. And it is up to us, the good burghers of internetland, to make it pay for its misdemeanours with its life.
But what’s the alternative? After all, the user has to identify themselves in some way or other. I’ve wasted too much time glaring into uncooperative machines at airports to trust biometrics, and electro-magneto-spiritual life-essence detection would be cool but I haven’t invented it yet. So I’m going to resort to old-school cryptospeak and nail my colours to the two-factor authentication mast.
Here’s how it works. Two-factor authentication means that you have to have something (a physical thing) and know something (a secret) at the same time, in order to be able to authenticate yourself. Real-world example: cash machine. You have something (the card) and you know something secret (the PIN). The card is useless without the PIN. The PIN is useless without the card, and the card doesn’t store the PIN in any way. It’s about as secure as it gets.
Online, it all hinges on how we use the user’s identity. What Yahoo and all the other guys who got hacked were doing was using a fixed correlation between username and password to establish identity. Because it was fixed, it had to be mapped somewhere. The system had to have a documented list, in which usernames went with which passwords, so that the login script could look them up. This is the positively Tolkienesque single point of failure that cybercriminals love. “One ring to rule them all,” and whatnot.
But what if the user’s authentication were powered by something more substantial than a childish game of snap with usernames and passwords? What if the user’s email address was converted into ASCII (American Standard Code for Information Interchange – a character encoding technique) and then hashed to produce an identity-based secret in the form of a numerical string?
Sounds great. But you’ve got to have a minimum of two authentication factors, right? OK, so let’s take a leaf (for once) out of the banks’ book, and use a PIN. Only the user knows the PIN, which effectively turns the user’s cryptographic secret into a “token.” The token is the thing that the user has, even if they don’t actually see it. Token plus PIN equals identity-based secret, which is used as a fixed generator in an authentication protocol – but neither can be reverse-engineered to reveal the other, because the relationship between them does not work in both directions.
Now this is where things can start to get very mathematically heavy, so I’m going to focus on outcomes rather than integers. What this means is that websites have no further need whatsoever to store user login information on the site. The traditional, mapped 1-to-1 relationship between username and password is obsolete. It’s not a login, it’s an ex-login. It’s only there because Yahoo and others nailed it there (in a big old file.) It has shuffled off this mortal web. Mortus est.
Bringer of death, me? You betcha.
Are you a security guru? Try our quiz!