Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

The Slow Death of Passwords


My first online account consisted of nothing more than a username and a password. The username being some strange alias I made up, fearful of using my real name online. The password was just my first name, an all lowercase six letter word.

The pattern of just username & password has quickly been strengthened with additional methods. We are going to take a look at a few of them and examine the strengths and weaknesses of each one.

Knowledge Based Authentication (KBA)

This method is incredibly common in the credit & banking industry. You would be presented with a small multiple choice questionnaire. The questions would be something like, " Select the county you previously lived in ". The more questions you add, the arguably more secure it becomes.

Pros Additional layer of security Prevents malicious actors from impersonating others Cons Knowledge is not private. It can be found.

All in all, this method relies on the individual history of people remaining secure in the system they live. With more and more services going online and another data breach weekly, this method of authentication will probably cease to exist in a few years.

Security Questions

This method has grown to a variety of industries. It basically works by giving you (the user) a set of questions. You pick one of them and answer it however you wish. During a login session, those selected questions will be presented and must be answered. For example, one of my question was " What was the name of your childhood friend? ". This question sucks though for a variety of reasons. I've had so many childhood friends, I even forgot what I put!

Pros Additional layer of security Questions can be answered truthfully or not. It doesn't matter. Cons Truthfully answered questions are just another form of knowledge based authentication. 2 Factor Authentication (2FA)

A common method used on millions of sites these days. Commonly text (SMS) based 2FA has been used, which sends a random code to the phone number registered. This code must be entered within a few moments during the sign in procedure.

2FA additionally has non-phone based methods, software applications can act as time based tokens which refresh every 30 or so seconds.

Pros Additional layer of security Can be cloud based Cons Losing non-cloud based 2FA device can be painful SMS can be social engineered Cloud based 2FA could be stolen Hardware Enigma

Hardware based sign in techniques have existed since I joined the Internet and that was way back in the 1990s. While the hardware of the past was more a time based token with digital display the new generation dabbles in cryptography with a USB connection.

I have two hardware authentication devices, they are sometimes clunky, but the idea is basic. They must be plugged in, otherwise I cannot sign into my account.

Pros Not at software level. Easy to use, when it works. Cons Wireless vs Wired acts differently Steal the hardware and done?

Theres just a few of additional authentication measures set out to aid or even replace passwords. There are plenty we didn't even talk about from biometrics, face recognition and simple mobile phone prompts. I wonder what new types of authentication will appear in the next few years.

Featured photo by Matthew Brodeur / Unsplash

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images