Risk-appropriate authentication vs machine fingerprinting

Last updated: 21 March 2014

A recent Wall Street Journal article on the insecurity of passwords confirmed what many of us have believed for some time – the days of password-only authentication are numbered.

As well as highlighting the passwords that no one of sane mind should consider using (‘123456’ or ‘password’, anyone?) it also considers some of the various alternatives or supplements to traditional password authentication (tokens) which can be used to combat this vulnerability. What it doesn’t touch on is the circumstances under which this level of protection would be necessary.

Authentication, and indeed security in all its forms, must be risk-appropriate. The complexity of security required should be proportional to the potential risk of a breach. For example, the level of security required to access one’s online banking should, naturally, be greater than that required to access personal emails for example. However, with more personal information being shared online, particularly on social networks, the potential risk of a breach of one’s personal data on these sites is now greater than ever.

One such website, Facebook, now employs another potential option discussed by the WSJ: machine fingerprinting. This is software which recognizes the usual patterns of a user’s browsing and requests additional information if it detects anything which is out of the ordinary – for example, if that person logs on in a foreign country. These may include a ‘secret question’ or, in Facebook’s case, recognizing faces in photos. The problem with machine fingerprinting, however, is that they are often easily guessable to anyone with even a casual knowledge of the victim. This may give users an illusion of security, but in reality they are as at-risk as if these systems were not in place at all.

As I continue to bang the strong authentication drum , what is required is security which is proportional to the risks involved. With greater amounts of personal data being shared on all manner of different websites, the risk factor of even a relatively trivial site is now high, meaning that machine fingerprinting is not a sufficient level of protection. Google has followed Amazon Web Services lead by implementing two-factor authentication to all willing Gmail users, and far-fetched though it may seem the idea of Facebook or Twitter authentication tokens may be not that far away. You know I will not stop pushing for this change!