In a recent column here, I wrote about the insecurity of many of the passwords that we commonly use. Most users still use the easy to guess passwords, with about one in seventeen still using “password”, and about the same number of users have “123456” as their passwords. According to a recent report released by the password manager “LastPass”, only about one percent of users have passwords that are properly complex and relatively secure. Usernames and passwords are often targeted by hackers when they break into the servers used by online financial service organizations, retailers, auction websites, online payment services, and other financially attractive targets. What is especially striking about personal password vulnerability is the fact that the majority of online users use the same password on multiple websites; this can create a cascading type of identity theft whereby a hacker in possession of a single password and username can access multiple online services, wreaking financial havoc on the victim.
Also referenced in my earlier column was the free service already implemented by thousands of shopping, financial service, email, and other sensitive websites, known as “Two Factor Authentication”, or “2FA” (turnon2fa.com), which instantly sends a unique digital code as a text message to a cell phone registered on the respective website. This code, which typically expires within a few minutes of being sent, is required in order to access the participating website. This was exemplified a few days ago when I accessed the website of a financial services company to view my quarterly statement; almost instantly after entering my username, my cell phone alerted me to the arrival of a new text message. This text message was from the financial services company, and contained a unique six digit number that I had to enter on the website in order to access my account; the text message also informed me that the access code would expire in ten minutes. Without that access code, I could not access my account, even with the password that I had previously used on that website. A comprehensive listing of thousands of websites and services using this two factor authentication, as well as instructions for implementing the protection on each of those websites, is online at turnon2fa.com/tutorials.
Since passwords are one of the most valuable items to purloin in a massive cyber theft which may also lead to massive identity theft, and most of us are still using insecure passwords, it has become evident to most security professionals that the password is one of the most vulnerable “weak links” in cyber security. Because of this susceptibility, these security experts have been developing secure methods to bypass the need for users to have passwords in order to access our online accounts.
Some computers and smart devices have a fingerprint reader, retinal scanner, or utilize facial recognition to access those particular devices, and it would be a natural “next step” to implement this already existent biometric technology to access online services. By purely anecdotal experience, my laptop which has a fingerprint reader, and my wife’s laptop with facial recognition software, have both been repeatedly proven to be slow and unreliable in allowing access to those particular devices. On my laptop, it typically takes several reads of my fingerprint in order to boot up the computer, with the fingerprint reader often failing to recognize me at all, requiring an alternative, less secure, username and password to boot the computer. The facial recognition security on my wife’s newer laptop, which uses the integral webcam to scan the human face, has been very unreliable, requiring her username and password in order to boot the computer. Obviously the biometric hardware and software for our future computers, smart phones, and tablets will inevitably be improved to the point where it is far more accurate and reliable, but at present, with some inevitable few exceptions, the biometric verification is not quite ready for routine home users at a reasonable price. Once it is improved to a point that it becomes more reliable and more widely adopted, then biometrics could be a viable alternative for usernames and passwords when accessing sensitive websites and related services.
Recently, the well known Yahoo! announced that it is releasing a new email app that gives the user the option of doing away with the obsolescent and insecure username and password by instead using a new “Yahoo Account Key”. According to Dylan Casey, Yahoo’s Vice President of Product Management, in a blog posting “Yahoo Account Key – Signing in Has Never Been Easier” dated October 15, 2015, “Today, we’re excited to take user convenience a step further by introducing Yahoo Account Key, which uses push notifications to provide a quick and simple way for you to access a Yahoo account using your mobile device. Passwords are usually simple to hack and easy to forget. Account Key streamlines the sign-in process with a secure, elegant and easy-to-use interface that makes access as easy as tapping a button. It’s also more secure than a traditional password because once you activate Account Key – even if someone gets access to your account info – they can’t sign in. Account Key is now available globally for the new Yahoo Mail app and will be rolling out to other Yahoo apps this year. We’re thrilled about this next step towards a password-free future!” Somewhat similar to the “Two Factor Authentication” mentioned earlier, the user enters his username at a traditional looking Yahoo! sign in page, but instead of entering a password, clicks on a button which initiates the sending of a unique digital key or link to a registered smart device via text message. A simple click will then open the app. Details on how to implement this more secure method of accessing email is available online at turnon2fa.com/tutorials/how-to-turn-on-2fa-for-yahoo. What is especially intriguing is the cryptic statement made by Dylan Casey where he stated ” … and will be rolling out to other Yahoo apps this year.” Apparently Yahoo email is but the first in the family to use this security method, but it will soon also be available on other Yahoo apps. With this logon security enhancement, Yahoo email joins an ever expanding club of email services utilizing “Two Factor Authentication”, with similar security enhancements already available for Google’s Gmail, Hushmail, Microsoft’s Outlook, and several other popular email services.
While the Two Factor Authentication Technology is rapidly becoming the defacto industry standard for doing away with the vulnerable password based security system, it is not the only exciting new password replacement technology being developed. Another example of a password free method of secure connections to web services has been developed by Steve Gibson, of Gibson Research, a well known software utility publisher who has published the popular Spinrite hard disk utility, and the immensely popular Shields Up online service that can test the security and vulnerability of any computer. His creation is called “Secure Quick Reliable Login” better known as “SQRL.” Gibson self describes his system as, “A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else. With SQRL (Secure Quick Reliable Login) you either tap, snap, or click a login page’s QR code and YOU are securely logged in. The SQRL system (pronounced “squirrel”) revolutionizes web site login and authentication. It eliminates many problems inherent in traditional login techniques.” The simplicity of the SQRL is based on a QR code icon ( a small square box, composed of smaller squares and a complex image of black dots and lines) placed on a login page, often directly adjacent to the space for a more traditional username and password. Rather than entering a vulnerable username and password, the user has the option of scanning the QR code with the camera in his smart device, tapping on the QR image with a finger or stylus, or clicking on the QR image with a mouse. This initiates a rapid sequence of totally automated events which displays the domain name contained in the SQRL code, allowing the user to visually verify the accuracy of the domain name, which prevents the “phishing” method of identity theft. The user then permits the SQRL system to instantly authenticate his identity, followed by a click or a tap on the included login button, which opens the connected website. There is no need for the user to manually enter a username or vulnerable password with the SQRL system. What the user does not see is behind the scenes, where a complex series of sophisticated cryptographic events are rapidly taking place, verifying both the user’s identity and the authenticity of the website; this entire process occurs in just a few seconds, often unnoticed by the user. Steve Gibson has made his SQRL technology “open & free” and released it to the public domain so it may be freely used by the greatest number of web services. While available freely, and possibly one of the most secure methods of replacing the traditional username and password combo, SQRL has not yet been widely adopted by a significantly large number of web services, but there has been an active and vocal group of geeks who have been heavily promoting the technology.
With biometrics, 2FA, SQRL, and other secure logon technologies coming into wider use, the vulnerable and insecure password may soon become a vestige of the past.