The password apocalypse is approaching - are we ready?

by Perry Chaffee, on Thu 26 April 2018

In a 1950 paper titled “Computing Machinery and Intelligence,” Alan Turing proposed a test of artificial intelligence which has since been highly influential in this field.

The test was to consist of one human evaluator communicating with two entities and judging their natural language conversations. The evaluator would know that one of them is a human and the other a machine. The communication would be limited to text and take place through an electronic device, like a computer or smartphone. If the evaluator couldn’t tell which one is human and which is a machine, then the machine is said to have passed the test.

Recently a robot named Sophia (who previously said she would destroy all humans) was given citizenship. Although “she” is a remarkable technological achievement, Sophia would be unlikely to truly pass as a human in person.

However, the Turing test doesn’t require an in-person interaction. Instead, the communication would take place through other methods which many people use every day such as email, social media, and messaging/chat apps.

With the use of virtual machines, automation, and deep learning, we’re getting dangerously close. Though a Terminator style machine war to exterminate humans is unlikely in the near future, we ARE on the verge of an apocalypse for passwords, usernames and other Human Readable Credentials.

Organizations of every kind who provide services to end users and use Human Readable Credentials as the basis of their identification and access management systems are (and have long been) putting their users and themselves at risk of phishing, spoofing, social engineering, and a myriad of other major problems. With the rise of the machines, this must necessarily change.

It’s bad enough that people on both sides (users and help desk personnel) can be fooled by humans pretending to be people they’re not. When virtual machines, automation and deep learning are used to proliferate these problems at scale, the tactics become far more efficient and effective.

Why we need to say goodbye to usernames and passwords:

Passwords and usernames are viewed by businesses as a convenient and cheap method of user management. However, they’re very inconvenient for end users and are a totally obsolete approach in today’s cybersecurity environment.

Tech enables the global population to connect to an unprecedented degree through virtual communities where people interact personally (social media & online dating), professionally (online learning, networking, prospecting, job seeking), in banking, e-retail/commerce, etc. But so far this has primarily been through a self-asserted identity. This self-assertion is an opportunity to either be honest, or to lie. It is usually based only on “something you know.” This includes usernames and passwords, but also extends to all other human readable credentials (HRC) – such as your name, birthday, contact information, social security/passport/driver’s license number, etc. Someone honestly asserting their identity will provide their real credentials, while someone else could use the inherent vulnerability of this approach to provide fake or stolen credentials.

From a user perspective, websites or services which ask for more information tend to be viewed as more secure, while those which ask for less are viewed as less secure. If you want to login to Instagram to look at your friend’s cat photos, you might just need a username and password. If you want to login to your bank account, you’ll probably need more. In reality, neither is actually secure. Your money isn’t much better defended than your cat photos, and though this may save your bank some pennies, remembering all these different passwords, usernames and other Human Readable Credentials certainly isn’t doing you any favors.

For most people, the login experience just entails filling in some blanks with information that is often accessible (whether they realize it or not) to other people besides them. Prior data breaches have flooded the shady underworld of cybercrime and identity theft with massive sets of credentials. Some of these breaches we know about, others we’re most likely unaware of. When the US Office of Personnel Management was breached (impacting more than 21 million federal employees and servicemembers), it took more than a year for anyone to notice. When Equifax was breached (impacting more than 183 million consumers), it took them over a month to admit it. It took Yahoo over four years to admit that ALL user accounts were compromised and not just those they initially announced. What else do you think is actively breached right now that you won’t find out about for months or years? -It’s a known unknown.

Though you might have been warned to change your password, it’s unlikely that you changed all the rest of your personally identifying information (PII) and contact information –this would be impractical or even impossible. Worse yet, although the sites you use have worked to make the password reset as easy as possible for you –that convenience extends to hackers who already have all your other information and just need to temporarily access (and lock you out of) your account.

Why human readable credentials should be outlawed:

Right now websites using a password and username for their logins are putting their users at risk of phishing, spoofing, keylogging, Man-in-the-middle, Man-in-the-browser, password guessing, password cracking, shoulder surfing, social engineering and a myriad of other problems. In the future we can expect to see these issues compounded when such attack vectors are combined with virtual machines, automation and AI.

Unfortunately, so far these data breaches have been viewed as a lottery of sorts. Most companies weigh the probability of getting hacked against the severity of the consequences, then invest minimally in following industry standards and best practices while covering themselves with cybersecurity insurance. This approach externalizes as much of the impact as possible onto the user/customer base, and often entails a greater emphasis on the public relations response than on actual security and prevention. Preventative measures are usually limited to compliance, which is less about security/risk mitigation and more about covering yourself in the event that bad things happen so you can say you tried. There’s an unacceptably high level of risk acceptance based on the reality that other people will be left with most of the cost.

Equifax is a prime example. At best, their practices focused on compliance, and their initial response to the breach was to disregard the impact to 183 million consumers by delaying the breach notification until a time more convenient for the company (and after key leaders could sell off their company stock). The response to permanently compromising these credentials (for a lifetime) was to temporarily offer free credit protection (which they will charge for after the initial period ends).

Government organizations haven’t done much to break this cycle, even awarding an IRS contract to Equifax for fraud prevention (seriously). Equifax may ultimately result in a paradigm shift motivating a move away from using Human Readable Credentials as the foundation of our identity and access management systems, but it will take public pressure on government, and government leadership to facilitate the transition. Though the idea of removing government interference from the free market economy is popular in many groups, this is one situation where government involvement is critical -in part because government organizations are (and should be) our most critical identity providers. Your birth certificate, social security number, driver’s license, and passport are all issues by government entities, and while all are based on a fundamentally flawed system of Human Readable Credentials, the free market economy can do little on its own to motivate a shift away from this. Moreover, because current policy allows businesses to externalize all the risk and impact to their users/customers, they have little incentive to do anything to fix it.

Until government identity providers implement a secure universal identity (SUID) system, problems like OPM, Yahoo and Equifax will continue to proliferate.

Why the current “second/multiple factor” approach only puts a Band-Aid on the problem:

The very idea of adding a second factor is an admission that the first factor is inadequate. If this is true, then why continue using the first factor? Why not replace it?

Traditional approaches to 2FA and MFA are simply inconvenient (and still not secure) additions to a fundamentally obsolete identity, authentication and access management system. They are basically the result of ignorance or unwillingness of the organizations using them to prioritize treating symptoms over resolve the root of the actual problem.

Augmenting HRC with additional factors is much like the transition from a gas car to an electric car by way of a hybrid. The hybrid car still has the negative implications of the gas engine (though slightly reduced), as well as new burdens/drawbacks associated with the electric engine and battery system. Building cars with both a gas and electric engine is not ideal, the desired end state is a shift to electric vehicles entirely.

Traditional approaches to 2FA and MFA are like hybrid cars. They still require usernames passwords and are based on a flawed system of Human Readable Credentials. This isn’t secure or and is terribly inconvenient. To make it more secure, they make the inconvenience even worse, by adding more friction to the user experience. It’s not ideal, and it’s a huge mistake to think it’s the desired end state. Ultimately, the human readable credentials must be completely eliminated from the identity and access management process.

People often look to biometrics as the future of identity, but you can learn how to fake fingerprints on YouTube in five minutes, people have already found ways to unlock an iPhone X with a face mask, and other technologies like voice recognition and iris scanners are also at risk. We also leave our DNA in many places we don’t intend to -something forensic investigators turn to for solving crimes. By comparison to securing your DNA, a post-it note with a password on it is probably easier to control. Clearly, though biometrics can offer great value as an additional verification step after the identity phase of the authentication process, they really should not be used as the first or only step in that process.

The ideal solution is to base this identity on a complex system of math and cryptography which seamlessly layer multiple mutual/bilateral/bidirectional authentications using something you have which contains something impossible for any human to know within the context of a fully automated zero knowledge system designed to compartmentalize and segregate data using a secure distributed data storage system so that when the relevant parties are not actively using the data (within the context of client side and end-to-end encryption) it doesn’t exist to be stolen.

Overwhelming amount of evidence that the use of passwords and usernames to protect sensitive user data will inevitably result in that data being compromised:

According to Verizon’s Data Breach Investigation Report, more than 81 percent of all breaches were the result of weak or compromised credentials. In each of these cases, someone was able to “know” the credentials of a trusted employee and gain access to sensitive information systems. By eliminating the use of HRC, the risk of unauthorized access can be said to decrease by an average of 81 percent.

However, another part of the problem is standard architecture for the data storage itself. If the system is configured so that one individual has the power to access the full data set, or even large parts of it, then on a long enough timeline there is a substantial risk that the wrong person will gain access. This could be because the trusted individual unknowingly has their method of access compromised somehow, or through other more technical vulnerabilities. It could also be the result of that individual having a shift of allegiance from the trusting organization to another. Both Edward Snowden and Chelsea Manning are examples of this -each went through a more vigorous background investigation than an average IT professional at an average company. Despite being highly trusted by our government, these individuals violated this trust by leaking vast amounts of highly secret and damaging information. Regardless of how you feel about those two individuals, their actions demonstrate that as long as a company is using a data storage architecture which allows humans to access data sets in this way, it should be assumed that eventually the wrong humans will also gain access to those data sets.

Why companies continue to use this method of authentication:

Companies continue to use obsolete identity and access management processes because we allow them to. As consumers, we don’t know enough to understand how to demand higher security and improved convenience. We don’t demand it through their feedback and support processes, and we don’t demand it through our government.

To the contrary, many people believe that it’s an unsolvable problem that we’re inevitably stuck with. Additionally, many fear the government implementation of a SUID system due to an incomplete or inaccurate understanding of how such a system would impact them. While overlooking a broad range of applications within our society, and the values and convenience to be delivered to consumers, businesses, and government alike, they tend allow irrational paranoia to set their focus on extreme scenarios which are unlikely to actually occur.

If a SUID system were correctly implemented, it would go further to protect our privacy rights than existing authentication methods, would dramatically reduce the prevalence of data breaches, identity theft, and a myriad of other resulting crimes and problems. It wouldn’t give the government any more insight into our private activities, but would assist the government in managing the information already collected about us in far more secure and convenient methods.