Authentication? Let's Infuse Ergonomics!
By Marco Rottigni, Chief Technical Security Officer EMEA presso, Qualys
The combination of cloud and the various forms of *aaS are defining a digital landscape for people and organizations where perimeters are set every time we consciously confirm our identity as users. This generates authentication, and consequently authorization and eventually auditing. There has been a long debate over time, and certainly there is still today, about the strength of authentication, the number of factors in use, which distinctive traits of ourselves the process should consider, whether it is something we know, we have, we do, we are and so on and so forth.
Along my professional career, I lived many eras of authentication: from the traditional password, to complexity of password enforcement; passing through digital certificates, hardware token based, one-time passwords, software tokens, push notification and more. And, I lived it as a user and as vendor, having been a product manager for few years of a solution where combination of authentication processes played an critical role. This experience led me to conclude that rather than focusing on the strength of the authentication process, we should aim to infuse ergonomics in the process and use a bit of progressive skepticism. I distinctly remember the first time I expressed this concept to the then marketing director of the company I was working for: a Finnish professional. And, you may imagine his face, given the fundamental passion for ergonomics in design that pervade the Nordic regions in Europe.
“Marco”, he said, “ergonomics is a science applied to how you sit at your desktop or about you interact with your working tools”.
“Very true”, I replied, “and authentication is exactly about how you interact with your tools to confirm who you are, in the simplest and most efficient way possible”.
Think about the most advanced form of authentication you use today: maybe push notifications on your smartphone (something you do), right after you confirm a one-time password (something you know, that dynamically change), generated only in that moment in time by an app running on your smartphone (something you have) after you’ve unlocked with a code (something you know). This very simple operation combines a level of strength that is very hard to bypass unless you are forced with threatened violence to perform these actions. It is very ergonomic, based on something that you are so keen to use that in case you forget it at home you may very likely go back to pick it up: your smartphone.
Thinking back to the old days of the hardware tokens that when forgotten at home generated help desk requests to generate those one-time usable codes only for this time and it will never happen again, it seems Mesozoic, right? But there are cases where this threatened violence is justified (from the viewpoint of the attacker) by the value of the protected data.
Here’s where progressive skepticism comes into play. What if you are forced to provide a valid authentication process to avoid injury, maybe because you’re a kidnapped engineer having access to very valuable intellectual property? This requires empowering authentication/ authorization process with other techniques, to save your person from violence and deliver something credible to the attacker, albeit not the data he was supposed to get. An example of this empowerment is the deniable encryption. You provide a valid authentication process, but with a different code than the authentic one to prove your identity. The backend system recognizes this, and applies a different, yet credible authorization process giving access to fake yet plausible data. Again, adopting this process did not impact the user experience with additional complexity, while it strengthened the overall process delivering a higher level of security. Consider ergonomics in your next authentication and authorization process, your users will thank you later.