Obviously, the password is not dead yet, but its days are definitely numbered. Remember the good old days when you could slumber in relative comfort making every password some variation of a pet’s name and your kid’s birth year? Then the criminals got smarter, or their computers started guessing your passwords faster, and they assumed (usually correctly) that you used that same password at your bank as you did at the big box store that just had a data breach, and soon enough, our slumber became less comfortable and the world more complicated.
Given the numerous design flaws of a password-based “lock-and-key” system designed around the idea that humans will deploy and remember, or at least not lose, a password not easily cracked by the fastest computer crooks can get their hands on, and then deploy a different password for each and every website they frequent, in order to prevent a breach of one website resulting in the crooks having the password to all the sites with the same password, the system had to be improved.
Enter two-factor authentication (2FA) or multi-factor authentication (MFA). Typically, this ends up manifesting as a 6-digit code (a one-time password (OTP) or a timed one-time password (TOTP)) sent to you via text message or e-mail, and further manifesting as the stress that rises up the back of your neck when you don’t have easy access to either one.
How often are you having some quality couch time with your laptop after a long day, ready to tackle that one last to-do you want done before heading off to bed, only to run into the screen prompt for that code, the screen staring at you as if to say “I’m waiting and the clock is ticking,” but you can’t get access to your e-mail without your phone, which has a dead battery and you left it in the car anyway? I know the first emotion that comes to me is not gratitude for keeping my account safe. Technology frustrations aside, does that code really make it safe?
The idea with this style of 2FA is that if a crook gets their hands on your password, chances are they won’t have access to your e-mail or your cell phone to get that 6-digit code. So, even if they have managed to steal or crack your password, without that 6-digit code, they’re stuck staring at that “clock is ticking” screen prompt just as frustrated as you were sitting on the couch.
That is unless we’re dealing not with a run-of-the-mill crook but a sophisticated cybercriminal. A sophisticated cybercriminal might have used a phishing e-mail or even a text message to convince you that you’re interacting with a real website or service provider, when in fact, you were voluntarily handing over your credentials (and that annoying code) to the criminal. They then immediately log into the real website and take over your account. Not suspecting a thing, you go about your business while the cyber criminal gives a tough lesson on identity theft. Herein lies the vulnerability of text- and voice-based authentication.
Other recent scams involved cybercriminals convincing well-meaning cellular telephone provider customer service agents that they were customers whose phones had been stolen and needed to move service to a different phone, a so-called “sim swap.” The cybercriminal then gives the agent a phone they have control of and proceeds to get all the 6-digit codes they can get their hands on before the victim discovers their phone stopped working and contacts the mobile phone service provider.
Are We Safe?
Getting back to the question of whether this style of 2FA/MFA makes us safe, the answer is “safer.” So if the next few paragraphs of altruistic futurism don’t leave you chomping at the bit to purchase a hardware security key for every person whose cyber security you care about while you simultaneously are counting the days in anticipation of a time when passwords join the ranks of pay phones, fax machines (yes, I said it), and other things we try to explain to our children and grandchildren with a level of unreasonable nostalgia, then the one takeaway I have for you is to take as much advantage of the current state of two-factor authentication as you can. The next website you log in to that asks if you’d like to enable multi-factor authentication, say yes. Do this for as many services as you can, and make your staff do it too. SMS (text) based authentication is better than a password alone.
Alex Weinert, Director of Identity Security at Microsoft, recommends moving away from text message-based MFA because it is the least secure of the available MFA options. But he also said that any form of MFA is better than relying just on a password. You can sleep slightly better knowing that, as Alex says, "it significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
Introducing the Hardware Security Key
If you’re ready to up your security game to the next level while decreasing your frustration, let me introduce you to the hardware security key. It’s resistant to phishing attacks and many other methods used by cybercriminals but best of all for you and your staff, it eliminates the need to get out your phone, open your messaging app, find the text message with that 6-digit OTP or TOTP code and (correctly) type it in, or in the case of TOTP, type it in before the timer changes the number, to get access to your account. Instead, after setting it up as the MFA method of choice with the websites and services you want to secure, you simply tap a little button on the key when asked for the 6-digit code and, voilà!, you’re in.
Trying to log in on your phone? You can hold the key up to your phone, and with an NFC enabled key (near field communication), you can authenticate just by tapping it to your phone. One key will work with multiple websites but it’s a good idea to enable a backup key in case you lose your primary one.
There are a number of low-cost security keys on the market. The Yubikey by Yubico is what I use (YubiKey 5 NFC, $45), but there are others, including Google’s Titan Security Key. The manufacturer’s website has a lot of good information on how to deploy them and which websites have enabled hardware security MFA.
Cyber Liability Insurance
Cybercrime has skyrocketed in the last few years, and more and more cybercriminals are targeting small businesses and law firms in particular as potential victims. If you don’t already have a cyber liability insurance policy, talk to your insurance agent to see if it’s right for your firm and what resources are available to train staff and attorneys to spot scams before they happen.
Not Dead Yet
While the password may not be dead yet, password manager services like LastPass and 1Password have become a necessity for those serious about password security for their practice. The path to “passwordless” is on the horizon, though. This past September, Microsoft proudly announced, “The passwordless future is here for your Microsoft account,” enabling users to now completely remove the password from their Microsoft account. While I don’t recommend starting with a biometric security key yet due to a lack of compatibility with the most widely used websites and services, Yubikey’s biometric security key shows a promising path forward for other services to implement passwordless authentication, allowing MFA using only the hardware security key and your fingerprint pressed to it as two forms of authentication.
The future is bright, my friends, and passwords won’t be part of it for long.