February 04, 2013

Red Cat, Green Chair, Blue Square: A Security Experiment

Over the weekend I ran a quickie little "security experiment" on my public Google+ feed. Since I purposely kept the underlying rationale opaque, a lot of folks have been asking what the blazes I was up to. So rather than contacting everyone individually (both who participated -- thanks! -- or who just saw the experiment zip by their streams) here's the scoop, such as it is.

We all realize -- or should -- that conventional passwords are rapidly entering the "end days" of their usefulness. A chain of major site password mass security breaches, not to mention the constant buzz of individuals who suffer password compromises through phishing and other attacks, obviously point to fundamental flaws in most existing password regimes.

But getting out from under password systems is a serious challenge. Site access control can be integrally linked with extremely difficult and complex foundational identity management issues, and these rapidly descend into a complex mess of technology intertwined with law enforcement and political machinations.

Some attempts at "solving" this situation could actually makes matters far worse. For example, I am extremely skeptical of a current US federal government identity project -- entangled with Homeland Security and intelligence agencies -- that I feel could be subject to serious abuse both by private parties and government itself.

But even as we work toward acceptable identity solutions (which must also protect pseudonymous and anonymous access paradigms in appropriate circumstances), we need some shorter term methods to improve on the current password status quo as well.

One of these is so-called multiple factor (e.g. two-factor) authentication systems, that use a password in conjunction with a changing numeric or other codes tied to particular user access devices and/or applications. These codes can have varying expiration rates, be generated and deployed via portable hardware, software programs, smartphone apps, telephone calls, paper printouts or other methods.

The basic idea is that unless you know the password and also the currently valid authentication code -- particularly on a device or via a connection that you haven't used previously -- you are forbidden system access. There are numerous variations on this theme, including purely hardware-based constantly changing password systems, though even these have not always proven invulnerable to external attacks. Still, they're better than a simple password in the vast majority of cases.

Google has long offered optional two-factor authentication for most of their user accounts. More firms have been making this option available as well.

I've successfully introduced quite a few people to various optional two-factor authentication systems. I have been less successful at getting them to stay with such systems, however.

As the number of user devices and online apps increases, and the authentication code expiration times shorten, the hassle factor involved with re-authentication begins to notably climb, often to a level where many users simply don't want to deal with it any more, and disable it if possible -- returning to simple and vulnerable password access control.

It would be great if we could solve our fundamental access and identity issues related to the Internet. And we'd all be safer for now if everyone was using multiple-factor authentication.

But I was curious to see if any sort of middle ground might also exist between conventional passwords and typical multiple-factor access.

While most multiple-factor systems use some sort of "external" mechanism to generate password code sequences, there is another way to generate a sort of additional factor as well.

When you think about it, an advantage that the legitimate user of an access account has over a remote attacker is that in the vast majority of cases the legit user has previously been logged into the account, and the attacker has not.

So is there a way to leverage this fact to provide a bit more than standard password security?

Yes, and some of these are already in use. Typical "security questions" sometimes pushed at users may arguably fall into this category. First pet's name. Grandmother's name. First school. Or create your own question ...

This technique has value, but creates problems as well. Most people feel compelled to answer these questions honestly (or else, they perhaps reason, they'll forget the falsified answers), and there have been many cases where typical questions have been compromised across systems and in conjunction with other information sources.

Ideally, you want any additional "security question data" to be system generated, memorable to users, and unique from system to system, so that the compromise of a password (given the unfortunately common practice of people using the same password on multiple systems) may still be limited in terms of resulting effective authentication exposure.

And this finally gets us to my simple little weekend experiment.

On my Google+ stream, I first sent out -- without explanation other than labeling them as security images 1, 2, and 3 -- a simple graphic of a green chair, a red cat, and a blue square. I disabled comments on these postings to discourage public speculation.

A bit later in the day, I send out three screenshots of my Google+ home page, each with one of these small images superimposed in an otherwise empty area of the page, and now textually labeled beneath each graphic: GREEN CHAIR, RED CAT, BLUE SQUARE. Again, comments were disabled.

I refused to substantively respond to questions regarding what this was all about.

The next day -- yesterday -- I sent out a note asking anyone who had seen those images to please privately let me know what they remembered of those color/object pairs, and I asked for their honestly in not looking back on the stream.

I've gotten a pile of responses back and they're still been coming in. They've provided some really fascinating insight into what people remembered, what they've confused, and how these test images and labels interact in viewers' minds.

This was purposely made difficult. Not only did I send out multiple test pairs without any genuine explanation, I never even suggested that there was any reason to bother remembering them at all.

By now you've probably figured out the underlying purpose of this experiment.

I was curious as to how memorable these sorts of labeled images would be under obscure circumstances, toward analysis of their possible usefulness as a routine additional login access security factor.

For example, if a system (when you're logged in) routinely displayed a small labeled image of a red cat, and if when trying to login from an unfamiliar location you were asked to input your security image ("red cat") in addition to providing your password, would you remember the image? Could something like this be used as a default mechanism to provide some stopgap security beyond passwords for persons unwilling or unable to use true multiple-factor authentication?

It's clear that a single simple image can be quite memorable, but would users tend to ignore (and forget) them if they're routinely shown, and would confusion result between different images shown to users on different systems? How much additional security would such a system provide from external password attacks or compromises, particularly in shared password situations?

I can't answer these questions yet. Looking more deeply at these issues was why I conducted this experiment. But the results so far certainly look interesting to say the least.

So that's the story. Thanks again to everyone who participated or simply put up with the strangeness that passed through my Google+ stream over the weekend.

And remember -- the green chairs, the blue squares, and especially the red cats are on our side in the security battles!

Take care, all.

--Lauren--

Posted by Lauren at February 4, 2013 10:22 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein