Les Waggoner – 3 Jun. 2023
Introduction
Authentication is a crucial part of today’s world, and though there are various tried and true methods of verifying one’s identity, the introduction of electronic data has made protecting it an ongoing concern. With this need and the increasing value of electronic data, usernames, and passwords have become ubiquitous in protecting this data. As this need for passwords has grown, the burden has been increasingly placed on the end-user to create passwords to keep the data secure. However, with the increasing complexity and need to rotate passwords continually, end-users struggle to create unique and highly secure passwords continually. Throughout history, compromised passwords have resulted in data breaches, unauthorized access, or data theft. As authentication methods continue to evolve from ancient practices to modern-day implementations, it is critical that organizations evaluate alternative ways to address end-user pain points, such as rotating complex passwords, ensuring secure data practices, and moving forward into a brighter and safer future.
Authentication in History
Identity verification has always been a concern throughout history, from classic literary references such as Homer’s The Odyssey to the complex systems in modern times. In The Odyssey, Odysseus, upon returning home in disguise, faces challenges from Penelope’s suitors. His demonstration of skill and prowess with the bow and arrow only he possesses served as a challenge-response method to authenticate his identity (Homer Book 21.55 – Book 22.32). While the origins of authentication are undocumented, the scenario described by Homer suggests that the idea of validating someone’s identity has existed for thousands of years. The initial need to determine whether “you” are “one of us” evolved into today’s passwords. A verbal challenge-response type of authentication was even referenced in the Authorized King James Version of the Bible (Judg. 12.5-6):
5 And the Gileadites took the passages of Jordan before the Ephraimites: and it was so, that when those Ephraimites which were escaped said, Let me go over; that the men of Gilead said unto him, Art thou an Ephraimite? If he said, Nay;
6 Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand (Judg. 12.5-6).
From the early days of biblical history, this method is still in service today. Using a token, such as signet rings, to verify authority or a user’s identity may date back even further to the ancient Egyptians and Greeks (Newberry; Daniels). Authenticated by presenting this token allowed the bearer to either provide information or gain access to information and locations based on the authority of the known owner. Unfortunately, these methods were not infallible. Obtaining the necessary information to pose as an authorized party allows access to locations or information that the person would otherwise not have permission to access. Regardless of the method used, unauthorized access to data or areas constitutes a breach.
Data Breaches
One of the earliest references to a breach is in The Art of War, written around 500 BCE (Sun Tzu, ch. 7, 9). Attributed to Virgil in his work The Aeneid is another early example of breaching in literature; where, during the Trojan War, the Greeks created a giant wooden horse and hid troops inside to breach the walls of Troy (Virgil, II.19-267). The ability to breach data has grown exponentially, just as the amount and accessibility of various information has grown. From the early days of Homer and Sun Tzu, the systems created to authenticate identities have grown in complexity and evolved into today’s digital systems (Newman).
The increasing complexity of modern systems introduces exploits that enable bad actors to access much more than just an individual’s information (Newman). Unfortunately, it often starts with a single appropriate username and compromised password to gain access to a system. The bad actor then delves deeper, looking for further vulnerabilities of said system, and, with each layer breached, finds others eventually gaining access to information that may be priceless to individuals or organizations to retrieve or keep safe. As far back as data has been protected, breaches have occurred, from ancient times to one of the earliest recorded electronic data breaches in 1984, TRW Information Systems (now Experian), which compromised more than 90 million Americans, and up to modern times, where society is under constant bombardment by bad actors (Kalat; Newman).
According to the Identity Theft Resource Center (ITRC), the reporting of the number of exposed records has declined dramatically in the last few years, which makes quantifying the extent of exposed records difficult, since there is no current and complete data for this metric (ITRC). Records exposed or acquired through a breach can include many types of data, such as email addresses, personally identifiable information, health records, or passwords. However, even though the reporting of the number of exposed records is down, statistic show there were 1,802 publicly reported data breaches in the United States alone in 2022. Reviewing one of the leading online statistics portals, Statista, the number of data breaches has fluctuated over the last few years from 1,108 breaches impacting more than 310 million individuals in 2020 to more than 1,862 data compromises affecting more than 298 million individuals in 2021 (IBM; ITRC; Statista Research Department). Based on data breach information from Target in 2013, Equifax in 2017, and Yahoo in 2013-2014, bad actors obtained data due to poor passwords and, in some cases, related third-party vendor breaches (Newman; De Groot).
Data Breach Costs
According to IBM’s “The Cost of a Data Breach Report” in 2022, 19% of data breaches were caused by compromised credentials, and the mean time to identify was 243 days, adding another 84 days to contain the breach (IBM). The global average for a single data breach is $4.35 million, the most significant target being healthcare, reaching a staggering $10.10 million per breach (IBM; Smith). Of the businesses that were interviewed, 83% have had more than one breach, and business partners were the cause of 19% of breaches (IBM). Incidental breaches, starting with a single password, can occur when organizations exchange information and credentials with third-party providers, potentially bypassing an organization’s security measures. Breaching in this manner highlights the need for adequate third-party security protocols. The data compiled by Secureframe shows that the security of passwords has become passe, and the user has become lax and lazy in securing said passwords (Leuthvilay; Secureframe). A compromised system can allow access to data, which can be encrypted and held for ransom, as well as the public release of sensitive private data resulting in identity theft and a myriad of other issues. Therefore, by understanding the implications of a breach and the cost to both organizations and individuals, the discussion of pain points and possible solutions can begin.
End-User Pain
When discussing authentication, it is crucial to address the pain points of password security, including password fatigue and the risk of security compromise due to password complexity requirements and constant rotation as length and complexity requirements significantly increase user frustration, leading to counterproductive workarounds (Ives et al. 4; Grassi et al. 69). The primary focus should be on the end-user and how easy the authentication method is to use, which directly impacts end-user acceptance. For a long time, regular password rotation has been considered a standard security measure. It was believed that forcing users to change passwords frequently enhances security. Coupled with the strength (also known as entropy), the combination has become the corporate standard. However, it is imperative to simplify the system, making it easier for the end-user, which encourages end-user participation in the authentication process. By doing so, we can mitigate the issues surrounding the current method and reduce the chances of bad actors compromising the system using acquired credentials.
For example, a strong password can be created by using a random eight-character combination with all four categories of characters: lower case, upper case, numbers, and symbols. However, the constant changing of passwords devalues this scheme and compromises security due to several issues. While memorizing the original password, each subsequent forced change requires the user to create another unique and memorable substitute. Most users will opt to adjust the already remembered password with transformations, just adding one or two characters to the original or changing one or two characters in the original password, and other, simple to-adjust changes to meet the required complexity (Grassi et al. 68). Since not all systems will check for similarities from one password to another, a bad actor with a previously compromised password can use algorithms to check for slight differences and easily break the new password.
Another issue is physical reminders, such as writing passwords down and often leaving them in insecure areas. Even diligent security-conscious users who create totally unique passwords can get into the habit of writing them down (Grassi et al. 68). By writing down each complex password, they will have it documented, and the chances of needing a password reset shortly after changing it will decrease.
The user’s frustration increases with the regularly scheduled password rotation method without any signs of compromise, leading to the creation of yet another complex password. Once again, this may be a struggle for the end user to memorize, eventually resulting in password fatigue (Grassi et al. 69). Password fatigue is the exasperation end users feel with the password process as a whole. The issues innate in the complex password and rotation method are therefore evident to all; there are two choices; easy to remember, easy to crack complex passwords, or uncrackable random complex passwords, which many users must write down to remember them, both options decrease the strength of an organization’s overall security profile.
Evaluating and Options
Evaluating the options to mitigate these pain points can be daunting (Komanduri et al.; Ives et al. 4). From biometrics to device, location, or behavior, adding two-factor authentication (2FA) or multi-factor authentication (MFA), organizations wade through the sea of options to attempt to develop the best methods, which is both time-consuming and tedious. Many types of authentications can be used as a substitute for this user password rotation combination. One option, “something you have,” such as device-based, involves using devices such as smartphones with or without a security application. Biometric-based “who you are” is also an option, and it involves using a part of your body as the authentication. Lastly, some even tout passwordless authentication, which is, at its core, device-based authentication. Alternatively, organizations can enhance security by adding other methods to the user password rotation policy, such as 2FA or MFA, making compromising harder because one must have multiple factors to complete the authentication process.
Substitution and additions may include device-based authentication (Komanduri et al.; Ives et al. 4), which is prevalent these days, prompting a user for a code either sent to their device or generated on the device when attempting to access secured data. The loss of a device puts the end-user’s credentials at risk, especially if they do not have device-level security to prevent bad actors from accessing the device. The consequences of dispossession of the device are generally limited to the compromise of the device, which is replaceable, and the data it is supposed to protect.
MFA as an Alternative
Another option for substituting or replacing the complex password rotation scheme is biometrics. While it is potentially more accurate and more difficult to compromise, the consequence of a data breach results not only in the breach of the protected data but can include the compromise of all of the biometric data as well, resulting in the biometrically registered identifiers from continued use (Bonneau et al.). Single sign-on, which is more of an extension to the user password rotation process, can also be used, though, as a substitute may not eliminate the complex password rotation. However, it will limit the need to enter passwords allowing the already provided credentials to be acknowledged as valid by the reliant organization. Once compromised, this trust relationship will compromise all of the subsequent credential requests. None of these options offer a viable and long-term replacement for the user password rotation.
Though 2FA/MFA does not mitigate the inherent problems seen upon loss of the device or the compromising of the biometric data when implemented in conjunction with the user password rotation process, it increases the system’s overall security. Additionally, password managers can mitigate some of the pain points inherent in password fatigue by allowing the user to store their passwords safely; however, if the password manager is ever compromised, the results can be disastrous, as every documented password for a user would be compromised.
Addressing User Pain Points
Acknowledging the user pain points, the most likely replacement for the current user password rotation process may be one of two options, “looking to the past,” which indicates the issuing of passwords by the organization, or “moving forward,” with more significant character requirements and loosened complexity (Komanduri et al.; Ives et al. 4). Imposing additional complexity requirements can be disregarded due to the counterproductive workarounds users often employ when faced with overly complex passwords (Grassi et al. 69). However, these methods must be accompanied by more robust reporting of possible compromise and removing the password rotation criteria. The most intriguing solutions involve MFA but also rely on a change in handling the user password rotation process.
To enhance security and alleviate end-user pain points like password fatigue, there are a couple of approaches available. However, the alternatives should involve discontinuing the practice of password rotation and instead relying heavily on password monitoring. The first, which addresses the ubiquitous use of passwords across both personal and professional accounts, is assigning organizationally created passwords. Alternatively, this can be addressed by lessening password complexity while at the same time increasing the password length, which allows the user to be more creative in the passwords created and ultimately produces more memorable passwords (Brecht; Grassi et al. 86). An organization would also find it prudent to implement a password vetting system, which will check the password during new password creation (Grassi et al. 87).
Vetting
Vetting plays a crucial role in ensuring secure password practices. This process aids in the elimination of credentials that contain easily guessed words, personal information, or elements tied to the organization, like the names of companies, departments, or products. In addition to eliminating weak credentials, vetting also involves comparing new passwords against a list of previously breached passwords. This step aids in strengthening security measures and mitigating the risk of password breaches. Furthermore, this method effectively circumvents traditional password-breaking techniques such as dictionary lookups. As such, organizations need to prioritize this practice as a means of addressing end-user pain points, thus ensuring more secure data practices (Ives et al. 4).
Conclusion
There is no easy path forward, and the issues presented have been discussed in length by many a security team, and no solution fits every situation. Authentication methods must be reviewed by each organization and adjusted to suit the organization and the data they are trying to protect, whether it is 2FA/MFA, device or biometric, company-issued passwords, or longer passwords with less stringent constraints. Considering the inherent problems in the current password authentication system, such as password fatigue, it is imperative to explore alternatives that could alleviate these end-user pain points. Whether looking toward the past and using some of the methods our grandparents used or moving forward with the new systems now being espoused, history has shown that staying stagnant is not an option and is just another breach waiting to happen.
Works Cited
Brecht, Daniel. “Password security: Complexity vs. length [updated 2021]”. Password Security: Complexity vs length [Updated 2021]|Infosec Resources . Infosec Resources. 11 Jan. 2021, resources.infosecinstitute.com/topic/password-security-complexity-vs-length/. Accessed 16 May 2023.
Bonneau, Joseph, et al. “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” 2012 IEEE Symposium on Security and Privacy, 2012, pp. 553-567.
Daniels, Eb. “Men’s Signet Rings: What They Are & How to Wear Them.” Gentleman’s Gazette, 8 Feb. 2023, www.gentlemansgazette.com/signet-ring-primer/. Accessed 13 May 2023.
De Groot, Juliana. “Digital Guardian.” Digital Guardian, 22 Aug. 2022, www.digitalguardian.com/blog/history-data-breaches. Accessed 13 May 2023.
Grassi, Paul., et al. “Digital Identity Guidelines: Authentication and Lifecycle Management.” NIST Special Publication 800-63B, National Institute of Standards and Technology, Jun. 2017, pp. 23, 53, 67-79, doi.org/10.6028/NIST.SP.800-63b.
Homer. The Odyssey. Translated by Robert Fagles, Viking, 1996.
IBM. “The Cost of a Data Breach Report.” IBM, 2021, www.ibm.com/security/data-breach. https://doi.org/10.1016/S1361-3723(21)00082-8. Accessed 13 May 2023.
ITRC. “2022 Data Breach Report.” Identity Theft Resource Center, 2022, www.idtheftcenter.org/2022-data-breaches/. Accessed 13 May 2023.
Ives, Blake, et al. “The Domino Effect of Password Reuse.” Communications of the ACM, vol. 47, no. 4, 2004, p. 4. doi.org/10.1145/975817.975820
Kalat, David. “Nervous System: The First Major Data Breach: 1984.” BRG, 8 Dec. 2020, www.thinkbrg.com/insights/publications/kalat-first-major-data-breach/. Accessed 13 May 2023.
Komanduri, Saranga, et al. “Of passwords and people: measuring the effect of password-composition policies.” Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2011. doi.org/10.1145/1978942.1979321
Leuthvilay, Lani. “Study Finds 78% of People Reset a Password They Forgot in Past 90 Days.” HYPR, 10 Dec. 2019, blog.hypr.com/hypr-password-study-findings. Accessed 13 May 2023.
Newberry, Percy E. Scarabs: An Introduction to the Study of Egyptian Seals and Signet Rings, With Forty-Four Plates and One Hundred and Sixteen Illustrations in the Text. A. Constable and Co., 1906, pp. 25-34. Google Books, books.google.com/books/about/Egyptian_Antiquities_Scarabs.html?id=7eUTAAAAYAAJ.
Newman, Lily Hay. “Wired Guide to Data Breaches.” Wired, Conde Nast, 6 Aug. 2020, www.wired.com/story/wired-guide-to-data-breaches/.
Secureframe. “Password Statistics.” Secureframe Blog, Secureframe, 2021, secureframe.com/blog/password-statistics.
Smith, Marcia. “The Cost of a Data Breach.” IBM, 2021, www.ibm.com/security/digital-assets/cost-data-breach-report/#/.
Statista Research Department. “Number of Data Breaches in the United States from 2005 to 2022.” Statista, 2022, www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches/
Sun Tzu. The Art of War, translated by Lionel Giles, Project Gutenberg, 1910. www.gutenberg.org/cache/epub/17405/pg17405-images.html.
“The Bible.” Authorized King James Version, Oxford UP, 1998.
Virgil. “The Aeneid.” Translated by Robert Fagles, Penguin Classics, 2006.