Web authentication up, but implementation an issue
Trend of increased authentication for Web transactions and social media use may be inconvenient and tedious for consumers but necessary to protect against abuse and malware, said security insiders. Web properties, they advised, must also implement authentication right or efforts will go to naught.
Software developer Jeff Atwood pointed out in a post last month on his blog Coding Horror, that identity on the Internet has become "tedious busywork" with the inconvenience of log-ins and authentication over and over for every single Web site and on every device until "the end of time".
Users similarly express frustration over increased Web authentication. Student Jason Tan, for example, lamented that he was "tired of" the number of times he had to key in his password in order to post anonymous comments on hosted blog site, Livejournal.
Another end user, Louisa Chua, said while she recognized the need for online security, repeatedly keying in passwords was often "a waste of time".
Security insiders noted, however, that authentication is a way for Web properties to sift out undesirable elements. That said, it must be implemented right or their efforts will come to naught.
Authentication is used to prevent irresponsible and possible illegal activities associated with anonymity, Robin Liao, regional technical manager of Fortinet South Asia, told ZDNet Asia in an e-mail. Increased authentication, he pointed out, has been a common dilemma in the security versus ease-of-use debate.
Liao explained that for simple actions such as posting comments and uploading videos, authentication is used to prevent the sharing of non-meaningful content. Without it, spambots could strike a Web site by posting spam that has nothing to do with the topic of discussion. With video uploading, a "defamatory or obscene clip" could be shared with the public, though such incidents are more of "a nuisance" than security threat, he said but noted that if a phishing link is included in a comment, readers who click on it have their personal data compromised.
"If allowed to proliferate, non-meaningful content could also cause a Web site to lose eyeballs, threatening its commercial viability," he said. "Such occurrences are hence not 'minor' from [a] business owner’s viewpoint."
According to John Ong, regional director of Check Point South Asia, authentication also allows site owners to track users who leave controversial content. However, he warned in his e-mail that this may mean people "won't be bothered" to leave comments, defeating the whole idea of the interactive Web experience.
Paul Ducklin, head of technology at Sophos Asia-Pacific, pointed out that users should "learn to accept some minor inconveniences" in exchange for better protection.
"Security is important because it's our primary defense against cybercriminals," he said in an e-mail. "A little security goes a long way."
Right implementation for better security
If implemented correctly, increased authentication should lead to better security, Liao of Fortinet noted, citing Facebook's sign-on location tracking as an example. If Singapore-registered users try to log in from another country but enter the wrong password, they will be "put through additional authentication steps" before they can access their Facebook account, he explained.
On the other hand, a poorly-implemented solution--usually one that is "overly complex"--will lead to a less secure environment. Human beings, typically "the weakest link in the system" will often find ways to "bypass a complex system", leading to its failure, he said.
A poorly-implemented authentication, for instance, would require a password to be set but make "no attempt to enforce its strength" such as mandating the use of non-alphanumeric characters. According to Liao, some forums are guilty of this as they require users to register before they can participate in discussions but do not restrict their choice of password.
Allowing people to use a password that is easily cracked will not offer additional security which comes from additional authentication, he pointed out.
Sophos' Ducklin agreed that putting authentication into practice is not a guarantee of better security. "Forcing" users to have usernames and passwords can still lead to "abusive" or "spammy" behavior as users can sign up with "throwaway" e-mail accounts which are set up just to fulfill the registration process, he explained.
Additionally, Ong of Check Point pointed out that security is not just about technology, no matter how well-implemented. The easiest way to breach security credentials is still social engineering, he said.
"As long as humans continue to exhibit gullibility and naivety, a hacker can breach the credentials sometimes without even the need for esoteric intrusion techniques or tools," he said.
SSO the way to go?
Asked if increased authentication signaled a re-emergence of SSO, Liao replied that it is "already happening". Many Web sites are now linked with central authentication services such as Facebook Connect and Microsoft Passports, and these facilities made logging in to multiple sites "much easier" and "will become popular" over time, he explained.
Ong of Check Point noted that SSO adoption is going "to and fro" because site owners and users are concerned over privacy, security, and convenience.
"SSO provides conveniences to users but if there are [security-related] problems, site owners get into trouble," he explained. "But if there are multi-factor authentication or some esoteric system at play, users [get] frustrated [and] leave, and site owners are left with a super secure system with no customers or visitors."
Admitting he is "not a huge fan of SSO", Sophos' Ducklin warned that the "all eggs in one basket" approach is a risky strategy. Recent breaches at security companies including RSA, which saw its two-factor authentication token security compromised, and Vasco's subsidiary DigiNotar, which filed for bankruptcy after more than 500 digital certificates were stolen, were cause for worry, he said.