Authentication Afterlife: the dark side of making lost password recovery harder
Room 6 | Tue 14 Jan | 2:05 p.m.–2:40 p.m.
Presented by
-
Ewen McNeill
@ewenmcneill
http://www.naos.co.nz/
Ewen works as a consulting sysadmin, network admin and developer, which they find are all now just variations on the same design, development and automation skills applied in different domains. Ewen has been involved directly and indirectly with production system and network operations since the early 1990s, mostly in Internet-related networks and organisations. They have been attending Linux.Conf.Au annually since 2004.
Ewen McNeill
@ewenmcneill
http://www.naos.co.nz/
Abstract
Historically authentication was by username and password, perhaps with email as a password reset flow. Users often wrote down their passwords (particularly older users), and possibly they only had a few passwords and it was pretty easy to try all of them.
Modern times have proven that passwords, particularly reused passwords, are insufficient security for any slightly valuable account. So lots of people are using password managers, randomised passwords, and 2FA (hardware tokens, TOTP, etc). Some accounts also require an additional authentication flow (email, SMS) for "new device" logins. "Security Aware" users are using randomised answers to security challenge questions, perhaps also stored in their password managers.
This "security improvement" has a flip side: it's gone from being unlikely users will forget their passwords or get locked out, to being more likely users will lose access to their accounts through loss of 2FA or additional authentication paths (eg, phone number, or email), and more likely that users will struggle with lost password recovery. And there's a darker side still: if the user is incapacitated, or has passed away, often someone else close to them will need to act "on their behalf" with those accounts (for legitimate transactions, send out notifications, or just to archive the account), and will likely struggle to gain access to them without the original users full set of password manager / 2FA / etc.
How do we balance the need to improve authentication security, and reduce the simplicity of malicious account takeover, with the need for there to be a way for legimate account use by bereaved family members, or other trusted associates? There are no easy answers here, but considering the questions is important.
Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2020/room_6/Tuesday/Authentication_Afterlife_the_dark_side_of_making_lost_password_recovery_harder.webm
YouTube: https://www.youtube.com/watch?v=Yk5xoq-BJsg
Historically authentication was by username and password, perhaps with email as a password reset flow. Users often wrote down their passwords (particularly older users), and possibly they only had a few passwords and it was pretty easy to try all of them. Modern times have proven that passwords, particularly reused passwords, are insufficient security for any slightly valuable account. So lots of people are using password managers, randomised passwords, and 2FA (hardware tokens, TOTP, etc). Some accounts also require an additional authentication flow (email, SMS) for "new device" logins. "Security Aware" users are using randomised answers to security challenge questions, perhaps also stored in their password managers. This "security improvement" has a flip side: it's gone from being unlikely users will forget their passwords or get locked out, to being more likely users will lose access to their accounts through loss of 2FA or additional authentication paths (eg, phone number, or email), and more likely that users will struggle with lost password recovery. And there's a darker side still: if the user is incapacitated, or has passed away, often someone else close to them will need to act "on their behalf" with those accounts (for legitimate transactions, send out notifications, or just to archive the account), and will likely struggle to gain access to them without the original users full set of password manager / 2FA / etc. How do we balance the need to improve authentication security, and reduce the simplicity of malicious account takeover, with the need for there to be a way for legimate account use by bereaved family members, or other trusted associates? There are no easy answers here, but considering the questions is important. Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2020/room_6/Tuesday/Authentication_Afterlife_the_dark_side_of_making_lost_password_recovery_harder.webm YouTube: https://www.youtube.com/watch?v=Yk5xoq-BJsg