Natalia: What threats will be the most important to focus on in the next year?

Troy: We’re seeing more one-time password phishing. This is the value proposition of something like U2F, but how do we make phish-resilient authentication mechanisms? The other thing that’s particularly concerning is the rate of SIM card hijacking. It concerns me greatly that it seems to be so prevalent and that it’s so easy, almost by design, to port a SIM from one location to another. As an industry, we need to say, “Where is the level of identity assurance for a phone number?” Is it very weak or is it very strong, in which case telecommunications companies need legislation to change the ease with which stuff gets ported? Unless we can get people on the same page, we’re going to keep having these problems.

Natalia: What should IT professionals prioritize?

Troy: I would really like IT professionals to better understand the way humans interact with systems. Everyone says, “Just force people to use two-factor authentication.” Do you still want customers? I think every IT professional should have to go through two-factor authentication enrollment with my parents. Everyone should have to learn what it’s like to take non-technical people and try and get some of these things working for them. We can’t just look at these things in a vacuum.

I think U2F is a brilliant technical solution, but it is such an inherently human-flawed mechanism for many reasons. I have enough trouble trying to get my parents to use SMS-based two-factor authentication. Imagine if I had to tell my parents, “You’ve now got this little USB-looking thing, and you need to always have it with you in case you need to log into your device.” We have so many good technical solutions that come at the cost of being usable for most humans, myself included on many occasions.

I’d like us to have a much better understanding of that, which also speaks to solutions like passwordless authentication. We need to give more credit to what passwords in the traditional sense do extremely well. The thing that passwords do better than just about everything else is that everyone knows how to use them. It’s like using your date of birth for knowledge-based authentication. It sucks, but every single person knows how to use it, and that makes a really big difference.

Natalia: What’s the use case for password managers?

Troy: Password managers are a way of storing one-time passcodes (OTPs), but it’s important to recognize that password managers are not just for passwords. I have my credit card details in there, and every time I go to pay at a store, I do the control backslash and automatically fill in the credit card details. I have other secrets in there, like my driver’s license and other data. In many ways, passwords are just one part of the password manager solution, but certainly, for the foreseeable future, we’re going to have passwords so there’s a strong use case for password managers.

Another use case is a family account. If my partner wants to log into our Netflix account, she has her own identity, but there’s one set of credentials. She asks, “Hey Troy, what’s the password for the Netflix account?” It’s a string of gobbledygook. How am I going to get her the password? Do I message it to her, because then it’s in the thread in my unencrypted SMS? But if you have a password manager where you have shared vaults, you can just drop it in the shared vault. That’s another good example of where a password manager is more than just me trying to remember my secrets.

Natalia: Since we’re likely to continue to use passwords, what controls should we put in place to protect them?

Troy: Ultimately, this password is the key to your identity. We’ve had passwords on computer systems for about 60 years and the era in which they were born was so simple. It was before the internet and before social media and before all these other ways we can lose or disclose them. Over time, we started saying, “Let’s have password complexity rules. More entropy. More entropy equals stronger.”

When I used to be able to travel and speak to an audience, I’d talk about passwords and password complexity. I’d say, “Imagine you want to have a password that is the word “password”, and a website says you have to have at least one uppercase character. What do you do? You capitalize the first letter.” Everyone in the audience is laughing nervously and looking at me like, “Oh, you figured it out?” I’d tell them, “You have to have a number. What do you do? You put a one at the end.” And there’s the same nervous laughter. There is this human side that works in complete parallel to the whole mathematics of entropy and having more character types and longer passwords.

As we’ve progressed, we’ve started to recognize that arbitrary password composition criteria is not a very good thing to do, and we’re looking at whether we can have lists of banned passwords, like passwords from previous data breach corpuses. Are you using a password that is already out there floating around in data breaches? Maybe we will get to a time where this won’t be necessary because we will be truly passwordless. In the interim, I think that having a better understanding of what makes a bad password is important and educating users on this first and foremost.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Evolving beyond password complexity as an identity strategy appeared first on Microsoft Security Blog.

Natalia: How has identity evolved over the past 10 years?

Troy: There is so much identity-related data about other people accessible to everyone that the whole premise of having confidence in identity has fundamentally changed. A few years ago, I was invited to testify in Congress about how knowledge-based authentication has been impacted by data breaches. The example I gave was that my father called a telecommunications company to shift his broadband plan to another tier. He told them his name and they asked for his date of birth, as if that’s a secret.

The biggest shift is with this premise that identity can somehow be assured based on knowledge-based authentication like date of birth, mother’s maiden name, where you went to school, or, in the United States, Social Security number. That idea is fundamentally flawed and is a big area of identity that needs to change. There are so many services that have absolutely no reason to have your date of birth but do.

Natalia: What are the current gaps in identity solutions?

Troy: The traditional approach in the United States, where someone says, “Just give us your Social Security number and then we’ll know it’s you and it will be fine,” has always been inherently flawed, but it’s even more flawed now.

The bigger concern is what if other people try to prove my identity? I’m concerned about SIM swapping because there’s so much identity assurance that is done via SMS. The telecommunications companies will say, “You shouldn’t be doing that. You can’t be confident the person who owns the number is the right person.” And the banks will say, “This is kind of all we have.” I asked my telco, “Can we put a lock on my SIM so the only way someone can migrate my SIM is if they come into your office and prove identity with a passport or driver’s license?” That would eliminate a lot of the problems. They said, “We can’t do that because it would be anticompetitive. Government legislation says we need to make it easy for people to transfer their number to another provider so that people have freedom of choice. Otherwise, they’re locked into the provider.” And I responded with, “The outcome of that—depending on the platform I’m using—could be that someone gets into a really important account of mine.” Their response: I shouldn’t have been using SIMs as a means of identity verification.

Natalia: How can organizations mitigate identity risk?

Troy: For many organizations, there hasn’t been a lot of forethought around what happens when incidents impact identity. One example is breach preparedness. For many years, many organizations would do disaster recovery planning—the annual entire-site-has-gone-down exercise. I rarely see them drill into the impact of a data breach. Organizations rarely dry run what happens when information is leaked that may enable others to take on identities.

One organization that had a data breach and did exceptionally well with disclosure was Imgur. Within 24 hours, they had all the right messaging sent to everyone and cycled passwords. I asked the Chief Technical Officer, “How did you do this so quickly?” And he said, “We plan for it. We had literally written the procedures for how we would deal with an incident like this.” That preparedness is often what’s lacking in organizations today.

Natalia: What’s the biggest difference between enterprise and consumer identity technologies?

Troy: With internal, enterprise-facing identity, these individuals work for your organization and are probably on the payroll. You can make them do things that you can’t ask customers to do. Universal 2nd Factor (U2F) is a great example. You can ship U2F to everyone in your organization because you’re paying them. Plus, you can train internal staff and bring them up to speed with how to use these technologies. We have a lot more control in the internal organization.

Consumers are much harder. They are more likely to just jump ship if they don’t like something. Adoption rates of technologies, like multifactor authentication, are extremely low in consumer land because people don’t know what it is or the value proposition. We also see organizations reticent to push it. A few years ago, a client had a 1 percent adoption rate of two-factor authentication. I asked, “Why don’t you push it harder?” They said that every time they have more people using two-factor authentication, there are more people who get a new phone and don’t migrate their soft token or save the recovery codes. Then, they call them up and say, “I have my username or password but not my one-time password. Can you please let me in?” And they have to go through this big spiral—how do we do identity verification without the thing that we set up to do identity verification in the first place?

Natalia: What should you consider when building systems and policies for consumers to balance user experience and security?

Troy: One big question is: What is the impact of account takeover? For something like Dropbox, the impact of account takeover is massive because you put a lot of important stuff in your Dropbox. If it’s a forum community like catforum.com, the impact of account takeover is minimal.

I’d also think about demographics. Dropbox has enormously wide adoption. My parents use Dropbox and they’re not particularly tech-savvy. If we’re talking about Stack Overflow, we’ve got a very tech-savvy incumbent audience. We can push harder on asking people to do things differently from what they might be used to, which is usually just a username and a password.

Another question is: Is it worth spending money on a per individual basis? My partner, who’s Norwegian, can log on to her Norwegian bank using a physical token. The physical token is not just an upfront cost for every customer but there’s also a maintenance cost. You’re going to have to cycle them every now and then, and people lose them. And you need to support that. But it’s a bank so they can afford to make that investment.

Natalia: What’s your advice on securing identities across your employees, partners, and customers?

Troy: I recommend some form of strong authentication in which you have confidence that a username and a password alone are not treated as identity. That worries me, particularly given there’s so much credential stuffing, and there are billions of credential pairs in lists. There’s also the big question: How did we establish identity in the first place? Whether it be identity theft or impersonation or even sock puppet accounts, how confident do we need to be in the identity at the point of registration, and then subsequently at the point of reauthentication? That will drive discussions around what level of identity documentation we need. But again, we come back to the fact that we don’t have a consistent mechanism in the industry, or in even in one single geography, to offer high assurance of identity at the time of registration.

Natalia: Passwordless is a huge buzzword. A lot of people think of it as a solution to many of our identity problems. What’s your perspective?

Troy: I first started doing interviews a decade ago and people would ask, “When are we going to get rid of passwords? Are we still going to have passwords 10 years from now?” Well, we’ve got more passwords than ever, and I think in 10 years, we will have more passwords. Even as we get passwordless solutions, the other passwords don’t go away.

I have a modern iPhone, and it has Face ID. The value proposition of Face ID is that you don’t need a password. You are passwordless to authenticate your device. When the phone came, I took it out of the box and had to get on the network. What’s the network password? I’ve got no idea, so I go to 1Password and pull it out. So, there’s one password. Then, the phone asks: Would you like to restore from iCloud? What’s your iCloud password? We’re two passwords in now. Would you like to use Face ID? Yes, because I want to go passwordless. That’s cool but you’ve got to have a password as a fallback position. Now, we’re three passwords in to go passwordless. Passwordless doesn’t necessarily mean we kill passwords altogether but that we change the prevalence with which we use them.

Keep an eye out for the second part of the interview where Troy Hunt shares best practices on how to secure identities in today’s world.

Learn more

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How far have we come? The evolution of securing identities appeared first on Microsoft Security Blog.