Just as complete strangers will not think twice about discussing their embarrassing ailments as soon as they discover someone is a doctor, the same can be said of IT security professionals. Was an email a scam? Should I have clicked on that link? Is online banking safe? What antivirus do you recommend? The list is endless. These days I am rarely surprised, however, one story I was told by a supplier last week took me aback.
He was contracting for an organisation and had been given web-based email access. To login each day he would go to the website type his email address and password. This password lasted 30 days and would need to be changed. Typically, day 30 came and went and when he tried to login one morning he was prompted for a password reset. The trouble was every time he attempted to do so he failed. He called the service providers helpdesk and the conversation went along the lines of….
Caller: “Hi. My password has expired but I can’t reset it myself. Can you help?
Helpdesk: “Of course. What is your email address?”
In the interests of being discreet I won’t share this part of the conversation. But he assures me the only thing he told the helpdesk was his email address.
Helpdesk: “No problem. What would you like you new password to be?”
Astonishingly, all he needed to change the password and gain access to his email account (which by the way contains an amount of sensitive information) was his email address. No other form of identification was requested. I questioned whether his phone number may have been registered with the company, but he wasn’t using his work phone as it had a poor reception. To add insult to injury, the password he asks them to set is exactly the same as password he had been using for the past 30 days. Which begs the question – Why have an expiry date in the first place?
Helpdesk: “That is all done for you. Have a nice day.”
Caller: “Thank you.”
On the plus side the call was quick (so the helpdesk cost was minimal), he got access to his emails with little inconvenience and no harm was done. However, the story could have panned out very differently, if it had been someone else with an ulterior motive on the line.
This experience shows how today passwords are by and large seen by everyone as a necessary and unavoidable inconvenience. But this should not be the case. In this instance, he should never have needed to trouble the helpdesk (no matter how quickly they were able to resolve the issue) because we shouldn’t be still relying on passwords to ‘secure’ our systems – not when they are so many better alternatives.
The large and long-term challenge we as authentication professionals have, is to breakdown this apathy, whilst at the same time educating organisations, that replacing passwords doesn’t have to mean increasing complexity, adding more factors and increasing costs. In fact, the opposite is often the case.
Here is how the login process should happen
He opens his laptop and Internet browser and goes to his email login page, where he is asked to enter a one-time-code (OTC). Using his phone he opens his PINgrid app and looking at the pattern he previously set and memorised, and enters the corresponding numbers in to the website (these numbers are his OTC). He is now logged in to his email. What’s more it wouldn’t matter if his phone had no signal as the app works offline. And, every time he logs in the app creates a new OTC, so not only is it more secure, but there is no need to perform a passw reset every 30 days.
I never tire of hearing new security horror stories, but I hope that before too long they will become few and far between. There really is no excuse for or reason for anyone to still be using passwords.
Author: Steven Hope, Authlogics