A friend was asking me about multi-factor authentication apps or just authentication apps. So, he, unfortunately, got an earful.
We are not doing well with regard to authentication. We never really have. Oh yes, I know all the theory. I have taught it for decades. Authentication is based on something you have, or something you know, or something you are. But actually implementing that seems to be really, really difficult. And it's getting much *more* important, rather than less, that we have reliable and usable authentication.
First of all we went with something you know. Passwords. And, of course, everybody chose really stupid passwords. 1 2 3 4 5 6. I actually got a letter, just this past week, setting up a session, and using that exact password. When I got into this field, apparently you could get into 75% of all computer systems using the passwords love, or sex, or secret. Then there was everybody who used their birthday, or their pet's name. So, for years we have been trying to convince people first to pick reasonably strong passwords, and then, eventually, trying to move away from passwords all together and to some other kind of authentication.
Lots of companies have tried to sell something that you have as a form of authentication. I have carried various one-time password devices. Yes, I suppose it uses a password, but it might do a challenge and response type hashing of the password, or a password generation based on the time, or some other means of verifying a non-replayable password, and one that the person can't choose, themselves, in order to avoid all the problems with stupid password choice. Then there were the various USB keys that you could stick into your computer and use as authentication. Once again, something that you had. But, of course, everybody had to agree on which of these systems would be used universally. And, of course, no vendor would agree to use somebody else's system. Which is probably a good thing, because that would have meant that we had a monoculture in terms of authentication, and therefore a single point of failure in terms of authentication for absolutely everything.
What people seem to be using these days, in terms of multi-factor authentication, is a secondary backup which, once again, involves something you have. But, in this case, the something that you have is slightly more reasonable, in that it's a cell phone. Everybody has a cell phone these days. Everybody has a cell phone, and, indeed, an awful lot of people are getting rid of their landlines. So, if everybody has a cell phone, then everybody has a cell phone number, and, as a backup to the password, and an implementation of multi-factor authentication, the system can send you a text with a PIN or code that you have to enter in order to verify that it is, in fact, you that knows your password, and just entered your password in authenticating to the system.
Which I find annoying. Yes, I have a cell phone. But I also still have a landline. I'm a dinosaur, and keep technology around far too long, remember? And I am not the type of person who walks around with my cell phone actually glued to my hand. I occasionally turn my cell phones off. As a matter of fact, when I am home, mostly they are off. So, when I'm sitting at my desktop computer, and trying to sign on to something, it's a royal pain to have to go, get my cell phone, turn it on, and only then be able to do the secondary verification that, yes, it is me trying to sign on to my account. For which I have long and complicated passwords, thank you very much.
Now I'm really not sure why, but an awful lot of companies have decided to get into the market, selling authentication, but relying on the fact that you have a cell phone. Yes, I suppose that there is SIM swapping. And, if some scammer knows your cell phone number, they can go and get a cell phone, and then, yes, when somebody sends you a text with some kind of pin in it, they can get that message as well as, or possibly instead of, you. So, yes, I suppose that there is a vague point about authentication apps, on your phone, being somewhat more secure than simply texting a PIN. But, other than that, in terms of the convenience of multi-factor authentication, using these authentication apps, I have the same objection. Why should I have to keep my cell phone on, and with me, all the time?
(Yes, yes, I am well aware that convenience is the enemy of security. I have been teaching that for decades as well.)
I actually only use one authentication app. It is the BC Services Card. Now, when I talk about the BC Services Card, I have to explain that the BC Services Card is not, in fact, a card. It is an authentication app. It runs on your phone. It is actually a quite well-designed, and very usable, system. It had better be. I well remember sitting in on a presentation when they implemented the very first part of what eventually became known as the BC Services Card. At that point it was just the public key infrastructure for what would, eventually, in the fullness of time, become the BC Services Card. So, the BC government (and primarily Gary) have had thirty years to work on the background structure, and how it will work, and how it will work with other systems, and how other people will be able to use the BC Services Card, and how other companies will be able to use the BC Services Card, and how even the federal government will be able to use the BC Services Card, for authentication. I understand (although I haven't yet tried it) that you can actually use the BC Services Card to sign on to your bank. Congratulations Gary! It works. I had to sign up for it for something that I had to do with the death administration when Gloria died. I can't even remember what it was that I had to do. As a matter of fact, although I have come across an awful lot of possible uses for the BC Services Card in the intervening years, I have only actually used the BC Services Card about once every two years. This means that using the BC Services Card isn't exactly a daily occurrence. So, each time I have to use it, I have to relearn, all over again, how to use it. Every time I have had to use it, it has actually been much less traumatic than I always expected to be. It works. It works well. And I was even able to switch it from one phone to another without too much trouble, when I got my new phone. (I did have to take both phones into the Service BC office. I suppose that I didn't necessarily have to, but I was definitely nervous about the process, and I figured it was easier to just go into the office then to try and figure out how it worked by myself.)
The BC government, and all the people that I know who work in aspects of the BC government programs which use the BC Services Card, insist that it is very useful, and that everybody knows about it, and knows how to use it. This is absolute nonsense. Every time I talk about the BC Services Card, I have to explain that there is no actual card. I have to explain that it is an authentication app. There are all kinds of things that you can use the BC Services Card for. But almost nobody actually knows that there is a BC Services Card, and what it is. For the most part, unless your wife dies, you don't have to use the BC Services Card. You can sign on to your bank using some other means. You can sign on to the Canada Revenue Agency using some other system or method. The BC Services Card could be very useful. But it isn't required, and so almost nobody uses it. If more people used it, and if more people had it ... well, that's sort of the problem isn't it? If more people had it, more companies would use it. If more companies used it, more people would have it. It's a really good system, but you have to get both people and companies to actually use it. Nobody is going to get it until it becomes useful to them, and no companies are going to offer it, as authentication, until more people are using it. Catch 22.
But there is, of course, fairly widely used, yet another authentication boondoggle. This is the fact that, if you go to some website where, in order to use it, you are supposed to have an account, but you don't have an account with this particular system, you can sign on with your Facebook account. Or your Google account. Or your own account with one of the other systems one of the other information technology giants, where a lot of people do have accounts, and they provide this form of online authentication. You sign on with your Facebook username and password, and Facebook authenticates, to the system that you actually use, that you are you, and you should be allowed to use their system.
As I say, a number of the tech giants are starting to get into this particular service. Once again, everybody would like to be the system that everybody else has to rely on. One company that is interested in getting into this field is Open AI. Yes, the people behind ChatGPT. Now, personally, as far as I can tell, large language models, and generative artificial intelligence, are a solution in search of a problem. About the only service that generative artificial intelligence seems to have been able to get anybody excited about, is code generation. So ChatGPT is writing a whole bunch of code for a whole bunch of companies. (Well, really it's more of an "autocomplete on steroids" function that searches existing code bases.) (And, I suppose in doing that, that they can't do much worse than an awful lot of the programmers out there.) But, in terms of authentication, I am less sanguine about the capabilities of hallucinatory generative artificial intelligence. Since we can't trust the text that these systems produce, why should we trust the authentication that they, supposedly, verify?
No comments:
Post a Comment