Going Beyond Passwords

August 3, 2015

Few things are more frustrating than those reminders from your bank, your email account, or your work login reminding you to change your passwords. How can we possibly be expected to remember all of them? “Oh well,” you say as you change it from “Orange&44” to “Orange&45.” Certainly, it would be much easier if we could use the same simple password for every login. The truth is, despite the inconvenience we feel, a single password is no longer sufficient to protect our personal information from hackers. In fact, a password alone is the least of what we should be using to authenticate access to our accounts. “When a stranger comes to your door and rings your doorbell, the first thing you are going to do is check who it is,” says Professor Shiu-Kai Chin of the Department of Electrical Engineering and Computer Science. Before you open the door to your house, you want to make sure you know who is there, or confirm whether you feel comfortable opening your door. You may ask why the person is there, or whom he or she knows that you know, or ask for some form of identification like a police badge. The Internet of Things makes the process of confirmation more complicated. We cannot readily see who is at our digital doorstep. And yet, we have become alarmingly comfortable with the idea that a single password is a reasonable enough way to protect some of our most valuable information. Chin works with members of the defense and financial industries to help answer two very important questions: Do we trust that someone is who they say they are, and are we reasonably assured that what they are requesting is reasonable? “The most secure systems are the ones that have systems assurance designed into it from the start,” says Chin. We, as individuals, cannot control how a system has been designed, but Chin is working to encourage the greater use of a concept called multi-factor authentication. Incorporating this concept, a system will require the presentation of more than one of the potential authentication factors: something you know (i.e., password, PIN), something you have (i.e., ID card, key fob) and something you are (i.e., fingerprint, eye scan). “When someone steals your credentials, they can masquerade as you in the digital world,” says Chin. But with multi-factor authentication, stealing someone’s identity becomes harder. Someone could steal your badge, but they may not be able to get your password. Or someone could determine your password, but they cannot replicate your fingerprint. In an ideal world, all three of the authentication factors would be used, because it makes the process of stealing someone’s identity much more difficult. The solution is not straightforward. There will always be a trade-off between security and convenience. “Imagine if you went to the supermarket and every time you put something in your cart you were forced to pay for it one item at a time,” says Chin. So the next time you get the notification to change your password or pull out your authentication card, remember the power of multi-factor authentication and the necessary balance between security and ease of access. Rest easy knowing your information is better protected by those occasional inconveniences.