By Peter Gunning, Business Development, Identity Services, BT
In an industry which loves its eponymous laws (e.g. Moore’s, Wirth’s) and principles (e.g. Kerckhoffs’s and…er…Dilbert’s) someone surely ought to propose a new equation inversely proportionally linking the increased use of online services to the security of one’s identity data.
These days we expect that we can do practically anything online, and we sign up to new services at the drop of the hat, even if we have no intention of using them long-term. A glance at the ‘Splash Id’ app in my own Palm Pilot shows that between internet banking, credit-card servicing, share-dealing, auto clubs, book clubs, government services, online retailers, pharmacies (no sniggering!), social media and networking, online gaming, airlines, payment processors, video clubs, florists (aww!), blogs, auction sites, online storage, and sundry other services, there have been at least 70 occasions in the recent past where I’ve registered a user id and password for some online service or other.
A couple of questions arise. Firstly, I know, some of you will be asking “What’s a Luddite with a Palm Pilot doing writing a technology blog?”, but, hey, at least I’m not just writing the passwords down on a Post-it. But more importantly, what’s the chance of my having chosen a different password for each of those services? And what’s the chance the passwords I’ve chosen are all strong enough to resist a rainbow table attack for more than five seconds if they get into the wild? Well, I can tell you the answer to the last two right now: a big fat zero.
I know this courtesy of LinkedIn. Shortly after their recent ‘breach’ some of my email contacts were on the receiving end of missives purporting to be from me, containing only links to who knows where or what. A couple of savvy (and non-tech) friends realised what had happened and alerted me to it before it went too far. But it showed just how easily a security compromise like this can happen: bad guys get a table of user ids and passwords; bad guys have all the time in the world to attack the password hashes; bad guys see that the user id is an email address; bad guys know a certain proportion of those email accounts will have same passwords; bad guys deploy their botnets to do their nefarious business. And there you have it — all so simple.
My fault — at least in part — of course. But here’s another question: what are the chances of me, you, or anyone you know, sitting down to review, change and securely record that many passwords on a regular basis? I’ll leave you to think that one over.
There’s got to be a better way. Recently BT explored the concept of ‘Community Authentication’ in a survey of over a thousand employees. Just to be clear, by Community Authentication I mean a scheme where the customer has the option of choosing a single, strong authentication measure issued by one of his service providers — almost certainly one of his banks — and using that to authenticate himself when transacting with any other service providers participating in the scheme, including those for whom it would not ordinarily be cost effective to issue such a measure. Like all those online retailers, pharmacies, florists, gaming sites, PPs, etc., etc…
The theory is that using strong authentication from a single, ubiquitous token (so the customer doesn’t have to lug a bunch of them around as he does currently) renders the loss or compromise of the usual static password much less of an issue and, clearly, without the token, a would-be fraudster is left high and dry trying to access someone else’s account.
Our survey respondents made it clear that although people were greatly concerned by security and generally appreciated the strong authentication measures the financial service providers are rolling out, they hated the fact that they are accumulating tokens and other password-generating techniques.
Overall we had 92 per cent of respondents ‘very’ or ‘quite’ interested in being able to use strong authentication when transacting with non-financial service providers. Only three per cent agreed that they “didn’t want to bother with extra authentication when transacting online”. When asked how attractive they found the prospect of being able to use a single strong authentication method to access multiple services (both financial and non-financial), 92 per cent said they were ‘very’ (72 per cent) or ‘quite’ interested, with five per cent claiming they would still prefer a separate measure for each service.
The survey suggested that increasing the availability of strong authentication made the traditional static password less important and floated the possibility that it would allow customers to use the same static password across multiple sites without damaging security. Nearly 47 per cent liked this idea of having fewer passwords to remember with 16 per cent preferring to maintain separate passwords, even with the additional layer of strong authentication.
When asked how much more or less likely they would be to transact with an online service that used strong authentication, just over one per cent said the extra security measure would put them off and around 17 per cent were ambivalent. The majority, 82 per cent, agreed that they would be attracted to such a site.
Finally, BT asked the survey respondents who they would most ‘trust’ to set up and operate a scheme. The list of suggestions comprised the UK Government, BT, the UK Post Office, the customer’s own banks, UK supermarkets, a well-known online payment services provider, some big-name anti-virus software providers, a specialist authentication services and certificates provider, Amazon, Facebook, Google and Apple. Across all age ranges ‘your bank’ and BT were either first or second with roughly 10 per cent making either of those companies their first choice. The anti-virus providers, authentication specialist and payment services provider were third, fourth, and fifth, with the Post Office sixth and Amazon edging out the UK government (seventh and eighth). Apple was ninth, the supermarket tenth, with Google and Facebook bringing up the rear. (Facebook was last in every age group with between four and six per cent putting the social networking site down as first choice.)
The debate will rage on but the survey at least seems to indicate that internet users are very aware of the perils of the careless use of passwords, and the risks and inconvenience the current service-by-service approach to security brings.
The appetite to move on to more sustainable and flexible multi-service solutions is out there, awaiting a solution.