With the multitudes of accounts we have to deal with for email, social networking and other applications that require password authentication, the risk of compromise is too great. We need a better solution.
So this morning I did the usual. I woke up, got out of bed, I answered the call to nature, I popped a K-Cup in my Keurig brewer, and I shuffled downstairs to my home office and logged into my personal email account.
This is the first thing that I saw:
Needless to say, I was not amused. At all.
Now, I generally regard myself as extremely careful with my computer security. To the point of being extremely paranoid about it. I use "strong" passwords, mixed alphanumerics with non-alpha characters. An example of this would be something like R1tch13R1c4386!
Not only that, but I don't use the same password on all my services. My Google password is unique.
Today, as modern computing users, we're inundated with passwords on all sorts on web and social networking sites. I use GMail and all the Google Apps, such as Calendar, Analytics, Docs, et cetera. I use FaceBook. I use LinkedIn. I use two separate blogging accounts, and I have logins on a myriad of other websites and web-based applications, not to mention all the corporate intranet stuff I deal with on a daily basis.
It's gotten out of control. Keeping track of these requires spreadsheets and documents, stored in various places, because you can't possibly hope to remember them all and when they expire. And then of course you need to have them reset all the time with your new temporaries sent into your email should you forget them.
So back to my GMail account. Someone had clearly compromised it, this despite the fact that I use strong passwords. Not only do I use strong passwords, but I use the Chrome browser as my standard on all my PCs, no matter what OS I use, arguably the most secure browser available today, and it's the only one I access the GMail web interface with, using an encrypted connection.
I also use Linux as my primary operating system, with my Windows software running virtualized, each instance with antimalware and antivirus software running on them, and I don't run Internet-facing web apps from those. My corporate applications and email are isolated in a Virtual Machine using an encrypted virtual hard drive.
My PCs aren't the only devices that talk to my Google account. I have two Android phones, as well as an iPad. So the attack vector could have been from anywhere.
With all of those precautions in place on my PCs, I have no idea how that account was compromised. I can only speculate: It could have been on a rogue Android or iOS app, it could have been a cross site authentication thing on FaceBook, or it could have been as something simple as a email or web-based phishing attack, although I tend to be pretty vigilant about obvious phishing emails which come across my desk on a daily basis now.
It could also have been a "Brute Force" attack, although with "Strong" passwords that becomes more difficult. I also won't rule out Google's servers being penetrated directly, although that seems less likely.
The point is, it doesn't matter. If someone like me can get compromised, so can anyone else, especially someone who isn't keeping track of their online accounts and behavior as much as I do.
Let's face it -- passwords suck. Once someone knows what they are, your security is in a world of poo. I would have used a much stronger term than "poo", but I'll let Private Pyle do this for me.
There is a better solution than passwords. That solution is Biometrics.
Biometrics have been used effectively in computing applications for some time, primarily for high-security environments in which the recognizing the unique characteristics of an individual are of paramount importance. Typically, you see them used in in Government, TOP SECRET and Financial systems.
Usually, you see them in the form of either fingerprint or retina scan, and sometimes even voice print identification. There are other ways of doing biometrics, but these are the ones which are in common use.
One such system that used both fingerprint and retina is the CLEAR registered traveler service, which recently re-opened under new ownership with limited service at Orlando airport after its parent company, Verified Identity Pass ceased operations in June of 2009.
Despite the fact that the company had financial troubles and the service may have come before its time, their authentication system itself was one of the best I've ever seen, which used a combination of an electronic identity card containing a biometric signature, as well as retina and fingerprint scanning.
Fingerprint scanners are inexpensive, ranging from $40-$50 retail if you want to add one to your PC. Some higher-end business laptops already have them built in. As a component cost of integrating into a USB keyboard, a laptop, tablet or smartphone, the price is significantly less if you start manufacturing them in the tens of millions.
Built-In cameras in laptops and smartphones with high-resolution CCDs and constantly improving macro capability and miniaturized optics also could make retina scan on portable devices and PCs an affordable reality within a number of years.
These solutions could also be combined with RFID implants and/or voice print identification to have multiple points of identification, in order to minimize the risk of access due to biometric forgery or coercion under duress (such as being forced to authenticate under gunpoint)
The cost and integration of the hardware is only part of the problem, though. What we really need is a standardized API that would work on every OS platform and the web, so that you have seamless session-based biometric logins for all the services and applications one might use. And biometric enrollment must either get centralized or a lot easier to do than it is now.
Given the continued importance of services such as Google Apps, FaceBook. Twitter and other services, as well as the amount of passwords that we now need to maintain, it's starting to look like we need a biometric API, preferably Open Source, and preferably one which has government buy-in in terms of accepted standards.
I'd like to see Google, FaceBook, Microsoft and Apple as well as the Office of the CIO of the United States and equivalent organizations in the EU make this a priority.
There's far too much identity theft and password compromises going on and it's costing consumers, businesses and governments hundreds of millions if not billions of dollars a year, not to mention the aggravation and embarrassment of having your data compromised to your friends, family and harm to your business reputation when it occurs.
With the prevalence of Social Networking, smartphones and mobile applications, do we need a mass-adoption of biometrics? Talk Back and Let Me Know.