“Your Word Is Your Bond”

“Your word is your bond.” It’s a phrase that draws its origins from the Third Commandment and demands a high degree of integrity. However, substitute “password” for “word” and “security” for “bond”, and the story is very different in the world of online authentication.

In this context, authentication – as opposed to authorization – is linked to a facet of identity, specifically the digital identity of a person seeking to access a file or database. Authentication is about verification – to ensure you are who you claim to be. People sometimes confuse authorization with authentication – if you’re “you”, you’re automatically allowed to do things – and while people should treat them as separate, that’s a conversation for another day.

As our personal information is moved online, by ourselves or others, the reliable authentication of individuals accessing that data is critical.  Governments plan to have health records accessible electronically to authenticated AND authorized caregivers.  The trend towards cloud computing will see more people committing to the backup or storage of data online.  For better or worse, our personal information is “up there” and all we seem to get is people telling us to use strong passwords.

Passwords endure as the single factor authentication mechanism, principally because of the lower cost of implementation and support. As a society of technology users increasingly asked to store and access our personal data online, we’re admonished to have “strong” passwords or “passphrases”.  We’re urged to keep them safe; we even “contract” to do so in more sophisticated terms of service on sites that involve sensitive information. We worry about keystroke monitoring, password sniffers, password crackers. We are bemused by the fact that the most common password is the word “password”. And before someone raises the point about admonitions from Privacy Commissioners to use encryption – guess what you often need with encryption programs? Yep. Passwords.

Anyone who has done online banking from somewhere other than your usual computer knows that they will face a challenge question. This is because banks have moved to “risk-based authentication” or “adaptive authentication” where passwords, together with additional information, are used as a type of “multifactor authentication”. The additional information consists of data such as user ID, type of device, IP address/location information, and the “velocity” of the transaction. “Velocity” here refers to the process of determining whether someone logging on from Location 1 could physically login from Location 2 within that time frame between the two events (e. g. you can’t really log-in from Halifax and Vancouver within 2 hours of each event).  This is “contextual” information. Such information, together with user specific attributes, transaction history and patterns all form the basis for risk-based authentication.

Not everyone is completely happy with risk-based authentication. Here is a report from 2007 that hackers are making headway into breaking down risk-based authentication. There have often been complaints about “false positives” in the use of risk-based authentication. In providing password advice, the “father of the firewall” recently suggested that “if a Web site offers a secondary question for authentication, that question should be related to the password rather than you yourself…it’s not too difficult to figure out the “maiden name” of a person’s mother.”

One might argue that the rose is off the bloom as it appears that some American banks may be moving away from only using risk-based authentication and incorporating the use of one time passwords (“OTPs”) into their authentication processes. At least that’s what Wells Fargo is doing; as is a bank in India.  Last week, it was reported that Google will add OTPs to Google Apps.

A one-time password is just that – a unique password good for only one transaction.  Normally one thinks of them in the context of tokens, primarily used for remote access. Tokens are relatively expensive and you have to provide support in case they get lost or stolen. But there are ways to more easily add that second factor to authentication and there’s one token that we always seem to with us – our cell phones. The OTP can be sent as a text message to our cell phone. Maybe it’s time to raise the bar and start using another layer of security in a general way for all applications that involve access to personal information.

So as we move further online, and where personal information is concerned, it may be time to re-think the single password and consign it to history along with the unlocked front doors of a more trusting age. Consumers of online services (whether provided by government or the private sector) should ask service providers some pointed questions about their future plans for authentication.

2 Responses to ““Your Word Is Your Bond””

  1. Lots of sensible thoughts here, Michael. Readers who want to back up to a different level of analysis can see my recent Slaw post here:
    http://www.slaw.ca/2010/08/30/authentication-and-trust-some-preliminary-thoughts/

    I am a bit sceptical of Google’s recent one-time password announcement because I don’t have a cell phone on which to get the SMS password messages. There must be a few of us yet who might use Google Docs who can’t get SMSs. Is there an alternative delivery route?

  2. Michael:

    How does this square with currently proposed federated “trust models” for identity management proposed by, say, some larger government eHealth players, and set out in last year’s paper on same put out by the OIPC?

Leave a Reply