There is a famous New Yorker cartoon – two dogs sitting in front of a computer with the caption, “On the Internet, nobody knows you’re a dog”.  I would save you the trouble of clicking on the link to see it, except that the New Yorker would like me to pay them $360 a year for the right to reproduce it on this small, non-commercial blog – which leads to the thought that their business managers are less web-savvy than their cartoonists.  The contrast is stronger still, given the fact that the cartoon dates from 1993, when the ubiquity of the internet was rather less pronounced than it is now.

The chances are that you will have seen it before – it’s apparently the most widely reproduced New Yorker cartoon, presumably because it so neatly encapsulates the point that anonymity and the absence of verification are so central to the internet – and so central to its success as well as to its frustrations.  If knowing whether you were talking to a dog or not was really important to you, designing the structure of the internet the way it is wouldn’t be the obvious way of setting about it.  As David Weinberger reminds us in blogging a recent presentation by James Boyle, that openness and lack of rigid structures has a lot to do with why there is a successful internet to be worrying about in the first place.

But that leaves us with a problem.  Sometimes it is really important to know not just whether you are a dog or a cat, but precisely which dog or cat – in a situation when just relying on the little disc attached to your collar isn’t an option.  Making connections secure can be difficult in practice, but it isn’t hard in principle.  I can access my office systems remotely with two passwords (one of them very long), a smartcard, a fully encrypted laptop and a fully encrypted VPN connection.  There are lots of ways of fouling up the implementation of all that, but for all practical purposes it provides effective security.

The real difficulties start when we want to be secure and open.  I want to be able to show information about you to you – and only to you, and I want to accept and act on information about you from you and only from you (or actually from you or anyone you want to act on your behalf, but we’ll leave that further twist to one side).  But I also want the experience to be easy for users, for the simple reason that if it isn’t, they won’t.

In the beginning, web sites did this with user names and passwords.  But left to their own devices, people choose very weak passwords, and if forced to have strong passwords, they forget them.  So then there came shared secrets – in effect, a backup password to be used if you forgot your real one.  The problem with that – as Bruce Schneier pointed out a while ago (and then pointed out all over again more recently)  – is that it inadvertently undermines the security of the system, particularly if the so-called ‘secret’ isn’t very.  It’s much easier for the bad guys to attack the shared secret than it is to attack the original secure password.

The third phase was when banks, in particular, started to use the shared secret as a second password in its own right, rather than as a backup to the first.  That’s a real improvement since, assuming that knowledge of the two passwords is genuinely independent, two layers of defence are inherently stronger than one.  More recently, banks have moved towards a second authentication factor, with keypads and smartcards used to generate one-time codes.

Another apparent way of strengthening shared secrets is to have several, including some which are subjective and so less knowable from other sources.  That’s important, and becoming very more so:  as Eric Norlin’s self-styled Norlin’s maxim states, ‘The internet inexorably pulls information from the private domain into the public domain.’ But even that may break as a system quite quickly:  there is nothing online anywhere (as far as I know) which links my name with any of the schools I went to.  The same may well not be true for the digital natives, as Norlin argues in support of his maxim:

In the context of choice being the identity default, we’re finding that the bulk of online users are choosing to place huge chunks of their identity online. My evidence: MySpace, YouTube, Facebook, etc. The heaviest generational component of the online community (the kids) rushes to identity themselves online. They flock to it so fast and so easily that its making federal lawmakers (and many parents) uneasy. Do these kids think that anonymity is or should be the online default?

Apparently not.

The amount of personal data swilling around is now sufficient for a whole new industry – apparently calling itself ‘knowledge based authentication’:

The key is for a business to use a KBA system that bases its questions on non-credit data and reaches back into your public records history so that the answers are not easily guessed or blatantly obvious. Typically, consumers find credit based questions (what was the amount of your last mortgage payment, bank deposit, etc) intrusive and difficult to answer, and these type of answers can be forged by stealing someone’s credit report or accessed with compromised consumer data. Without giving away too much of our secret sauce, our questions relate to items such as former addresses (from as far back as college), people you know, vehicle information and anything else that can be determined confidentally while not exposing data from existing public data sources.

As Kim Cameron notes in quoting that material:

Why wouldn’t an organized crime syndicate be able to set itself up with exactly the same set of publicly available databases used by IDology and thus be able to impersonate all of us perfectly – since it would know all the answers to the same questions?  It seems feasible to me.  I think it is likely that this technology, if initially successful and widely deployed, will crumble under attack because of that very success.

My second concern regards the security of the system from the point of view of the individual; in other words, her privacy.  IDology’s approach takes progressively more obscure aspects of a person’s history and then, through the question and answer process, shares them with sites that people shouldn’t necessarily trust very much.

The last point unravels things one step further:  how secret can a secret be once it has been shared?  Worse, still, what happens when it is known to have been compromised?  As Navjeet Khosa observes, once the ‘true’ answers have been compromised, they are useless:

The situation was made worse when, after finding a virus on a machine I used, I had to call the bank and change the answers to all of the security questions. Now, when asked about the last school I went to, my favourite colour etc, I can never remember the answer required, because I had to change the correct one. The addition of more security – such as a card reader – is likely to make the whole process even more troublesome and take even longer.

She also cites interesting research suggesting that beyond a certain point, adding layers of security process may undermine, rather than reinforce trust:

Researchers Hokyoung Ryu and Kansi Zhang found that although enhanced security measures for Web banking may make the process “technically safer”, the more identity-checking steps that are required by a customer, the less “trusting” they feel.

That clearly applies in other contexts too:  too much security can feel odd, as Richard Clayton observes about the hoops he has to jump through just to provide a biannual return to the Pensions Regulator.

There is also a social dimension to shared secrets.  They tend to emphasise early experience, presumably because current data is more at risk of being known to current acquaintances (though as noted above, that assumption may be becoming increasingly questionable), and there is an implied assumption that that early experience was singular, stable and memorable.  By the time I was 11, I had been to seven schools and lived in five places.  Asking me the name of my primary school, or the street where I grew up doesn’t work very well.  I suspect (though without evidence) that many of the questions which tend to be used have quite a bit of cultural baggage which is unseen by those who pose them.

So what do we do?

The simple answer is that I don’t know.  This post has got long and meandering because it is mainly a device for trying to get my own thinking straight, and it’s not altogether succeeding.  One possible route is simply to cut through all these issues by adopting a different approach altogether.  Applying two-factor authentication doesn’t have to be as complicated as the banks have made it.  There is, for example, the YubiKey which is operated just by putting it into a USB port and pressing a single button, which is on the face of it a considerably more straightforward solution – at least, once the challenge of physical distribution has been cracked.  More generally, there is always the possibility of more elegant solutions based on approaches such as the laws of identity (just out in a new condensed version – though I find the longer paper more helpful, because the questions here matter at least as much as the answers).

I’ll leave the last word – at least for the time being – with Ramon Rozas, who has written a short story called Security Question.  The prose is a bit clunky, but it’s very short – and worth hanging on for the punchline.

Comments

  1. A thought-provoking post with, as you say, no obviously right answer.
    My main gripe with the current situation is that each organisation has its own way of doing things, I suppose based on the software they employ and the sensitivity of the transaction involved. And one is advised to choose different passwords so that if the Amazon one is comprised, it won’t be put straight into eBay as well. So I have dozens of passwords that I have to write down somewhere or forget them.
    Will any combination of secrets, PINs and external hardware really get round this?
    And is the other extreme, such as a single, integrated, online ID verification system (presumably along the lines of Mastercard SecureCode or Verified by Visa, or minimal disclosure tokens), where the organisation I am transacting with links through to a central point to authenticate my identity, any better (assuming that if this becomes comprised then the fraudster can use it to access any organisation)?

Comments are closed.