You're Mitigating The Security Vulnerabilities In Authentication - But Ignoring The Usability Vulnerabilities
Posted by Eve Maler on March 24, 2014
Security and risk professionals know what to do with security vulnerabilities: we mitigate the risk directly as best we can, and put in place compensating controls when we can't change the underlying dynamic. But in the age of the customer, upping our game in authentication strategies has forced us to take a harder look at an area that, generally speaking, is not our specialty at all.
Last summer, Forrester published a Customer Authentication Assessment Framework that leveraged some exciting academic research called “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” out of the University of Cambridge Computer Laboratory. (Gunnar Peterson has a recent post highlighting the arc and nature of these researchers' work, and even has a nice back-and-forth in the comments with contributor Cormac Herley of Microsoft Research.)
What I like about their work is that it walks right up to the "usability versus security" tradeoff -- and keeps going. They developed a 25-point system for understanding the various usability, deployability, and security (UDS) benefits of passwords and other authentication mechanisms, allowing a finer-grained look at what the potential problems are with each choice. Forrester's framework tweaks the criteria, resulting in a total of 26, and provides a way to weight each unique customer authentication scenario's requirements to give a nuanced view of which authentication methods have "soft spots" that deployers must take into account.
More recently, we completed an extensive authentication market overview report (and webinar), looking past the incumbent web password system to really dig into strong auth options for employees and customers alike, across web, mobile, and voice channels. Part 1 examines the seven trends and three generations we're seeing now. Part 2 assesses the inherent "UDS nature" of 40 -- count 'em -- solutions, which got tricky because to really understand how a solution looks, you need to pick a particular server-side and client-side "footprint." This research gives us tools to understand how different solutions fare across the generations (such as hard tokens versus one-time passwords sent by SMS) and types (various mixtures of mobile-fueled, biometric, risk-based, SaaS-backed, knowledge-based, and more). What's cool about the data underlying Part 2 is that you can combine it with the customer authentication model, generating what-if scenarios and heat maps for different customer populations, requirements, and solutions.
What does it all mean for those security pros who know passwords alone aren't going to solve their authentication problems?
- Third-generation solutions give new options that can improve usability and even deployability while "taking care of business" on security. Many of the newer methods are mobile-fueled, meaning they leverage a population's existing usage of mobile devices. Some clever new ones are entirely web browser-friendly without a requirement for special devices. Some don't involve any routine use of static shared secrets (known as "passwords" and "PINs" to the customers we may be trying to win, serve, and retain). Quite a few add a heaping helping of risk- or behavior-based "fairy dust" in a way that strengthens their UDS profiles across the board.
- Biometrics are becoming a lot more interesting but aren't a panacea. Traditional biometrics mostly have niche use cases, but emerging biometric solutions have a bright future. Forrester expects several new software-based, mobile-fueled biometrics to become available in the next 12 to 18 months. Be careful, though, and avoid biometric-based solutions as a sole authentication factor; many have subtle security and privacy challenges and some have usability challenges, impacting their UDS profiles.
- It's well past time for security pros to get a better handle on the usability impacts of the user onboarding, login, and account recovery flows we put in place. I've written in the past about applying "responsive design" to authentication as well as to web app design. We now have tools to analyze the usability impacts of authentication methods, both in A/B testing fashion and over time as new solutions become available; let's use them. Working with eBusiness and customer experience pros for consumer use cases (and working with architects and developers for employee use cases), we need to start treating usability issues as user experience "vulnerabilities" -- and be prepared put in place controls that mitigate and compensate for them.
What's your take? What solutions have you been considering? And what do you think are the upsides and downsides of our brave new authentication world? Let me know in the comments or on Twitter.