Bad Security Messaging: No end in sight for the trusty password

U2F and bad security messaging

Bad Security Messaging: No end in sight for the trusty password.

Bad messaging sets high expectations then fails to deliver on the commitment it promised. Many commentators are taking their lead from headlines and clickbait that sends out the worst type of message: the password has entered its terminal phase. They claim that universal second factor or U2F technology will replace those pesky passwords and improve security. They’re right and wrong. The whole point of multi-factor authentication is to add extra layers of security to protect digital assets and online security. The password is an indispensable piece of the complete solution. The premise that U2F is a password replacement is wrong. U2F is an extra security mitigation safeguard that increases overall security. That’s why these claims are so spurious and misleading.

A bit of background material

The FIDO (Fast IDentity Online) Alliance’s U2F initiative could finally be the definitive technology that protects your online identity. The 3-year old initiative is backed by industry heavyweights like Microsoft and Google and is supported by leading financial service providers MasterCard, Visa and PayPal. Even legacy security vendor RSA is a solid supporter in spite of the fact they generate much of their revenues from proprietary technology and have the most to lose from interlopers in their traditional multi-factor authentication space. FIDO’s U2F is a disruptor in the same class as Air B n’ B and Uber.

What is it?

Universal Two Factor authentication – U2F is an open authentication standard designed for universal interoperability between systems and applications. Unlike other technology, the U2F is built using open protocols. In practical terms, this means that your individual token will work with any authentication system that supports the protocol.

Why is it important?

It’s all about empowering the user and ensuring interoperability. Other multi-factor authentication solutions exist but are linked to a single issuer. Bank issued tokens or phone apps operate exclusively with the bank’s authentication systems. Employer issued tokens are locked to the organisation that supplied them. Even worse, the consumer has no say in the matter. The U2F is an open protocol that could completely change information security for the better. Because the user is empowered, it’s up to them to define where and when additional layers of security are employed. Service providers can decide if they are willing to accept the financial loss of relying on a password alone or offer incentives to encourage widespread deployment of the system. For secure environments, the solution offers lower cost protection than those provided by the leading vendors.

So what’s wrong with the messaging?

The argument being prosecuted is that passwords are obsolete. A recent email I received boldly stated you could “say goodbye to passwords” at the RSA security conference being held during April, 2015. Let’s be blunt. This messaging is dumb. Layered security is critical in defending your digital assets. Any move away from adding authentication to the sign-on process is short sighted. This type of inane click-bait focussed messaging garners visitors but perpetuates security myths that confuse consumers. There is no single solution to securing your online identity that is completely effective. Biometrics is potentially the best solution but are notoriously unreliable in the consumer market. The fingerprint reader makes a comeback every few years then disappears back into the wilderness when users discover that grease and dirt render the system ineffective. After frustration sets in, consumers usually give up and disable the system!

Multiple layers of authentication is the only way forward for better online security

The sooner low information marketing professionals get out of the messaging mix the better. Broad messaging that misleads is damaging for overall security and diminishes the value of the message and their sponsors. There is no silver security bullet and its unlikely there ever will be. The reason for this is simple: when your neighbour covets your digital assets no amount of security safeguards will stop him from trying to gain access to them. The same rule applies to defence and crime. Human nature often appears benign but is one of the most intractable forces in the universe. Until we can change that, be prepared for a permanent state of warfare to continue in the security landscape. The prizes are incomparable in value when judged with other targets.