Tag: passwords

New Study Shows Consumers Desire a World Beyond Passwords and Biometrics

Posted on by Gary Bird

With the current password-based user authentication paradigm so loathed and cumbersome, a new study surveyed 1,000 consumers in the United States to better understand their perceptions of convenience, security and privacy around authentication.

Of those surveyed, nearly three-quarters of respondents said it was “difficult” to keep track of their passwords and 82 percent never again wanted to use passwords.

Other security solutions, such as facial identification, also have challenges, according to the survey. For instance, half of Millennials and over two-thirds of both Gen X and Baby Boomers are reluctant to use facial scans due to concerns about privacy. However, over 60 percent of those surveyed would use implicit authentication for personal identification given its perceived convenience. Biometric authentication, such as facial scanning or fingerprints, is also easy to copy and is extremely hard to change once compromised.

Users of iPhones are much more inclined to use biometrics, with 74 percent of those respondents using biometrics to unlock their smartphones. On the other hand, only 55 percent of Android users surveyed use biometrics to unlock their smartphones.

Surprisingly, almost half of all respondents use a handwritten piece of paper to keep track of all their passwords, with one-third of all respondents never changing their passwords unless prompted to.

Other interesting facts include:

  • Nearly half (46 percent) of all respondents use the same password for all of their logins
  • 60 percent of all respondents believe it is the app maker’s responsibility to keep their information safe on their smartphone
  • Just over one-third (34 percent) of all respondents’ accounts had, in the past, been hacked or had their passwords stolen
  • Almost 83 percent of Generation Z use biometric authentication to unlock their smartphone, whereas only 53 percent of Baby Boomers use biometrics
  • Over 91 percent of Generation Z stay logged into their social media accounts, citing convenience as the reason

Credential Stuffing; How PRC almost hacked my Steam

Posted on by Lef Ioannidis

Recently we’ve witnessed some pretty big password leaks. First 6.4m unsalted passwords leaked from LinkedIn, then 500m passwords leaked from Yahoo, which today turned to 1 billion accounts. This is truly scary even if you haven’t been using your Yahoo account. To see why let us go back a couple of months when I almost fell victim to a credential stuffing attack from China.

First of all, “Credential stuffing” is a fancy name for password reuse. All it takes is somebody with very intermediate computer security knowledge, looking up the password dumps from Yahoo or LinkedIn (widely available), then trying the same exact credentials on as many different sites as possible, until there is a match. In my case, I logged into my Steam account and saw something like this:

screen-shot-2016-09-29-at-1-48-50-pm
Steam, how it looks like when you have been hacked

Unfortunately, Steam does not specify if this is a credentials stuffing attempt, but it was only a week after the big LinkedIn leak. I may also have been reusing the same password for my LinkedIn and Steam, so all the pieces fit. Steam was very helpful in telling me the following:

  1. Somebody had tried to access my account from PRC.
  2. He had both my username and password.
  3. His attempt was blocked since I’ve never accessed Steam from PRC.
  4. I needed to change my password to regain access to my account.

At that time I deeply appreciated all those otherwise annoying security features. Facebook asking me to identify my friends, Google sending me text messages and now Steam using geolocation to see where my impersonator lives. I quickly updated my password on Steam and 5-6 other websites.

My new password was the same as the old one, with the last letter changed from a ‘d’ to an ‘e’, meaning this was the 5th time I updated my Steam password for one or another reason. The rest of the password was pretty good in terms of entropy. Caps, lower cases, numbers, and symbols, randomly generated as well as pronounceable, using pwgen, a great CLI tool for generating strong, memorable passwords.

screen-shot-2016-09-29-at-3-30-06-pm
pwgen producing secure, memorable passwords

But this is not great overall. It’s only one step in the right direction for attackers to realize how hard it is to remember a password, which is why users opt to postfix their existing ones with predictable components, such as an increasing identifier. I’ve read posts about people using the same password everywhere and instead prefixing it with the site name. So if your main password is “d34db33f” then for Amazon it will be “amazon_d3adb33f”, for Chase “chase_d3adb33f” or something along those lines.

I believe I have a good understanding of the security concepts behind passwords and I think I’m doing better in terms of passwords that 99% of the people out there since my password is not “password” or “123456” (proof). On the other hand, here I found myself coming up with predictable password patterns. Then it came to me, the bigger issue exposed by credential stuffing attacks and password reuse:

Either we all do passwords right, or nobody does.

Either nobody gets hacked, or we may as well all be, as long as users can’t help but use the same passwords and predictable patterns over and over again.

So what does it mean for everyone to do passwords right? If you want to be really safe, you’ve got to be a bit paranoid and lean completely on the side of security versus convenience.

  1. A password should be completely unpredictable (should not include pet names, date of birth, middle names, children names, childhood heroes, favorite books, in fact, no English words at all).
  2. A password should have capital letters, lowercase letters, numbers, symbols and be at least 16 characters long (for 128-bit keys).
  3. A different such password for each website, changed every 3 months, with no logical correlations between them.

It is indeed impossible to be truly secure using passwords. How about password managers then? Letting them handle the complexity of passwords. Not a bad idea on first thought. Just tie all passwords to the user’s machine. But then you get this:

4e5cfd3a8e031
The problem with password managers, you’re not your laptop

Password managers basically escalate the problem of cyber security to a problem of physical security of your devices. If I can get my hands on an open laptop, I can access pretty much any website, as long cookies are enabled or a password manager has been used. And that’s pretty terrible.

In the end, there is no solution that takes care of every aspect of identity security today. It’s either what you know (password), what you have (device) and now we’re finally moving into the age of what you are.

Photo
TechCrunch Disrupt 2016, we won runner-up in Disrupt Battlefield.

At UnifyID, we think of the human as the central point of identity management. Think about every bit of information that makes you, You. How large is your stride, do you walk fast or slow, how long are your arms, which floor is your house at, how fast do you drive to work? This is all information that we feed into our machine learning system as input. The output is binary. Either it is you, or it isn’t. Since we only require 1-bit of information at the time of authentication, we can log you in with one click.

screenshot_2016-12-14_15-09-09
One-click secure login with UnifyID

Our system works with existing password infrastructures. We generate a large, random password for every website you are logged in, and secure it with You as the key. In fact, we don’t even need to know that password. Part of it stays with you and part of it lives in our servers. This way, even if your devices get stolen, even if we get hacked, you’re safe. There’s no single point of failure in the UnifyID system.

In addition, UnifyID works across devices. Your computer knows about your phone, and they share the same credentials. Remember that time when you left your laptop unattended for 5′ and your facebook wall got full of questionable posts? Not anymore. We can detect when you stand up and walk away. In fact, we can do that for every website, banks, e-shops, federal websites. Take your identity with you when you leave the room.

Here at UnifyID we take your security seriously. Passwords are an inconvenience and they will soon go the way of the floppy drive. Machine learning and implicit authentication can help you, and we know exactly how. Sign up for our private beta!

Introducing UnifyID

Posted on by John Whaley

After a year and a half of intense heads down work, we are very happy and proud to finally present UnifyID to the world.

Our goal at UnifyID is to solve one of the oldest and most fundamental problems in organized society: How do I know you are who you say you are?

The Status Quo

The traditional (digital) approach to authentication is to use a password. But when you think about it, the whole notion of passwords is pretty absurd. A password is this: I have a secret, and I tell you that secret, and that’s how you know it’s me. The problem is, I’m not very good at coming up with secrets and since I can’t keep track of very many secrets, I keep using the same ones over and over again. It’s frustratingly easy to get phished and tricked into sharing my secret, and don’t even get me started on using public records like my mother’s maiden name as a shared “secret” to authenticate someone!

In the interim, some people say to use a “password manager” to help keep track of all your passwords. Password managers are a band-aid solution. Password managers help you manage your ever growing list of passwords and accounts. They don’t solve this fundamental problem that someone can impersonate you by just knowing a secret. And they are a great honeypot so when your master password is keylogged, leaked, phished, or stolen, instead of just giving up one secret, you just gave up all your secrets.

Another approach is to use biometrics, like your fingerprint, to identify you. Fingerprints are convenient except for the fact that 1) you leave them everywhere you go, and 2) they are very, very difficult to change when they are compromised. Other biometrics are intrusive, annoying, and flaky, and often don’t add much security at all.

A third approach is to use a device to authenticate yourself. This technology has been around for a long time but has never taken off in a mainstream way, despite massive user education campaigns and huge, well-funded industry pushes. The main reason is it adds so much friction to the user experience. You now have something extra you need to carry around. You need to read off a code and type it in before a timer expires. If you forget your device, you are locked out.

Realizing people don’t want to carry extra things around, more recently vendors have moved to “soft tokens”, which are apps on your phone that provide similar functionality and trade off security for the convenience of not having to carry around an extra physical token. Or, services will send you a text message with a code you need to type in, which is not only annoying, but also doesn’t add much security.

The common thread among all of these approaches are 1) they are annoying, and 2) they don’t add much security. These are the two problems we are solving at UnifyID.

absurdpasswords

The Genesis

A few years back, Kurt and I worked on a demo where we captured encrypted packet traces, and by simply looking at the timing between the packets, we could determine the timing of a user’s keystrokes, and ultimately, what the user had typed. People were impressed by the demo but ultimately the interesting and challenging part was the fact that each individual had his or her own unique way of typing. In fact, after we saw you type around four sentences of text, we could uniquely identify you.

We began to look at other aspects we could passively detect that were a) unique per individual and b) did not require any conscious action on the part of the user. We looked at the various sensor data you could get from phones, computers, and wearables. We used signal processing and machine learning to stitch together the various noisy signals from multiple devices. It took a lot of work, but what we discovered was both shocking and heartening: It turns out people are both very predictable and very unique in their behaviors, actions, and environments. In essence, there is only one you in the world, and it was possible to authenticate you based on the sensors already around you. UnifyID was born.

The Future is Implicit

This technology is called implicit authentication. The basic idea is to be yourself, and there is enough that is unique about you that it is possible to authenticate you implicitly; that is, without you having to make any explicit action.

Implicit authentication is not new. In fact, this is how authentication worked since the prehistoric era. People used how you looked, how you moved, how you talked, your possessions, the context in which they encountered you, and how you acted to figure out who you were. Our brains are trained to identify people based on these characteristics and to pick up on subtle clues when something is off. Much like what human beings can do naturally, we discovered it is possible to train a machine learning system to do the same.

The result is truly magical. It makes security much more seamless and natural. You can be yourself, and the devices and services you interact with will naturally recognize you based on your unique characteristics. No passwords to remember, no codes to read off your phone. You are not tied to one device, or have something extra to carry around. The future is implicit.

The applications of this technology are endless, but one key area is in authenticating transactions and preventing account takeover. With our implicit authentication system, we can identify the human behind the device and give a confidence level that they are who they say they are. UnifyID also does continuous authentication, which means we can detect when changes happen and automatically challenge or log out the user.

Balancing Security and User Experience

There has always been a balance between security and user experience. For too long, security solutions have sacrificed user experience in the name of security. But you can’t look at security and user experience independently. Any security solution that does not take into account the user experience will not be successful in the real world. If you make security policies too annoying or add too much friction, people will either find ways around your security policies, or will just be miserable and unproductive.

UnifyID was designed with the user experience in mind. In fact, UnifyID is truly a subtraction from the user experience. Usernames? Passwords? Security questions? Passcodes? When enough signals match, these are completely eliminated from the user experience. In the cases where they don’t match, we issue you a challenge to prove your identity. But even the challenges are designed with the user experience in mind. You can use challenge factors like fingerprints and facial recognition, among others in active development. And the more you use the system, the more the machine learning algorithms adapt to your unique behaviors and environment. UnifyID is not only more convenient, it is also more secure.

UnifyID utilizes combinations of deep neural networks, decision trees, Bayesian networks, signal processing, and semi-supervised and unsupervised machine learning. Our system is able to discover what makes each individual unique and finds correlations between multiple factors that greatly boost the accuracy. “Machine learning” is not just a buzzword for us. We have a great team of machine learning and security experts from MIT, Stanford, Berkeley, and CMU, and are working with world-class advisors in both academia and industry. I’m very proud of the team we have built so far. (And if you want to work on the next revolution in authentication and have fun doing it, we are hiring!)

Nikhil

One example of an implicit factor we use is how you walk. It turns out that an individual’s gait is quite particular to them, and has a number of influences including unique physiology, length of femur, muscle memory, the culture you grew up in, and more. In fact, we can identify you with only four seconds of your walking data from your phone sitting in your pocket. And that is just one of over a hundred different attributes we use to authenticate you.

Experience the Future of Authentication

At UnifyID, we believe it is time for authentication to be about you. Humans have always been considered to be the “weak link” in security. At UnifyID, we turn that around and use what is unique about each individual to enhance security. The best way to authenticate yourself is to be yourself.

UnifyID is the first holistic implicit authentication platform available on the market. We are excited to announce a limited private beta for individuals to test ride the future of authentication in their Chrome browsers and iPhones today.

Embrace your uniqueness. After all, there is no one in the world more you than you.