After Google’s recent announcement of a new trust-based security system for smartphone access, replacing the traditional password-based log-in, Andrew Tang, pictured, Service Director, Security at the IT firm MTI offers his views on the future of passwords as security tools.
Google’s recent announcement that it is developing a new log-in method for smartphones is a significant step forward in log-in security. It replaces passwords with a ‘trust-based’ system that monitors the way a user typically uses a phone.
It apparently checks personal indicators such as how you type and swipe and where you are and then uses these and other usage aspects to determine how likely it is actually you carrying the phone. It will certainly make it much harder to ‘crack’ a lost or stolen phone.
Similar behavioural analysis technologies already exist and are used ‘behind-the-scenes’ in some enterprises and industry sectors, such as financial services. Behavioural activities are typically mapped and matched before network entry and data access is allowed. This can range from keyboard tapping patterns to applications that are usually accessed.
Emergencies
However, a question that naturally arises with these types of security is what happens in a ‘disaster recovery’ situation, such as a fire or emergency of some type. Behaviour changes during an emergency, such as panicked tapping across a keyboard, often lead to more errors and could result in a user being locked out when they desperately need to get in. This may seem like a small point but it is significant.
The success of Google’s new system will probably hinge on the algorithm behind the technology in terms of the procedural parameters that are set. If they are too rigid, it might cause problems.
That said, the wider issue, and one that Google is clearly tackling head on, is the fundamental insecurity of passwords. People have been talking about this for twenty years and we’re still wrangling over it. It just shows how people are the weakest link in a security chain.
Account take-overs
This was clearly evident in the recent LinkedIn stolen data furore. Following the appearance of the stolen data on a dark web site, social media platform Reddit detected an increased number of account takeovers which it attributed to the LinkedIn data. People were using the same passwords across different sites; it’s a common problem and undermines even the best laid security plans. A strong password should have at least ten characters, made up of a combination of upper and lower case letters, numbers and symbols. Admin passwords should have a minimum of 15 characters because if this password is cracked, hackers effectively have access to the corporate treasure chest and are able to move through the network with relative ease.
Growth in power
It should be kept in mind that technology is advancing all the time and Moore’s Law still holds good, that is, the number of transistors in a dense integrated circuit doubles approximately every two years. In practical terms, this means processors are faster, cheaper and ever more powerful, meaning that determined hackers can harness this processing punch to crack tough passwords. This is why two-factor authentication is so important. In other words, backing up a robust password with another unique form of authentication. Following an external hack, passwords must by necessity be changed and multi-factor authentication introduced as an absolute fundamental.
Security must also be focused on administrator’s rights because accounts with local administrator rights represent a large and frequently exploited attack surface. Removing administrative rights can result in lower productivity as business users no longer have the rights needed to carry out day-to-day tasks.
Protecting admin rights
Introducing a password-based policy that essentially enforces something known as least privilege policies. Rather than single admin passwords protecting network access, businesses should introduce privilege control at the server and application level. This enables you to manage and control which applications run on endpoints and servers and, as a result, prevent malicious applications from penetrating the environment. It’s an effective system that addresses the problem of password cracking by providing deeper defences against administrator hacks.
Google’s planned introduction of behavioural-based protection for smartphones could be the first steps in wider usage of this type of protection. Some believe that moving from password protection to behavioural monitoring is the way forward, especially in the enterprise.
Looking ahead
Despite the fact that this approach has already been in play for some time, it does have its limitations. While it may prevent ‘strangers’ from accessing a network, users can still download a virus or make a mistake in transferring a file outside the appropriate channels. That said, Google being Google, a giant company with enormous influence and the provider of services to millions, at some point, users will come to accept behavioural monitoring as the norm. As this happens you will also notice a trend in the business space with password-based security moving towards similar systems.
