How Does Your Favorite Authentication Solution Rank Security-Wise?

(Excuse any typos, this article did not go through the normal editing process)

OK, I decided to do a Fool’s Errand and rank various authentication solution’s security protection from the weakest to the strongest. Anyone trying to do this is going to get a lot of criticism. It’s like putting the top 100 greatest rock songs list out. You’re going to miss a lot of stuff and a ton of people are going to disagree with your rankings. Oh, well, at least I’m brave enough to try. I don’t think anything like this has been done before.

I’ve been in computer security for 34-years and for the last two decades I’ve done a lot of focusing on authentication security, especially the last 15 years. I’ve reviewed hundreds of authentication solutions. Rarely a week goes by without some new authentication vendor emailing me asking me to look at their latest, greatest authentication solution. Most aren’t that great. But sadly even the very good ones will have time getting much marketshare. Most are doomed to get a few customers and then die out from neglect. The digital authentication business is a tough one.

A common question I get a few times a week from someone is how I like a particular authentication solution they have or are considering. What do I think about SQRL? What do I think about Windows Hello? What about voice-based authentication? Is SMS-based MFA better than using a password? (Answers: I like, but prefer MFA solutions. I like, but it’s not nearly as secure as you think. It's OK, especially when paired with a pre-registered phone number or knowledge-based secret. Barely.)

It’s not easy to rank authentication solutions with absolution. All authentication solutions are hackable, but some are more resilient than others. Security is not binary. I will say that I do have a basic separation in my mind of the “weak” solutions that I think anyone should mostly avoid whenever possible and stronger solutions which I like better than the weaker ones. When I hear someone tell me they are using a weaker solution, I mentally wince. And when someone tells me they are using something better than passwords, I’m OK. And sometimes I really, really, like what they are using.

The graphic above is my first take on an “authentication security spectrum ranking”. ?I rank the various authentication solutions from weakest to strongest, with a dotted line to separate the solutions I think are “stronger” against those that are weaker. Passwords are pretty much the major dividing line. I don’t hate passwords. In fact, I think we all are going to have to use a lot of passwords for a long time (https://www.dhirubhai.net/pulse/passwords-still-us-decades-roger-grimes ). It’s that just about every other authentication solution proposed is attempting to improve on passwords in some way. Some fail and end up being less secure than passwords. Most are better than passwords, but aren’t as great as touted or as secure as their users think. This would apply to the vast majority of MFA, which as easy to bypass or steal as a password. I’m a huge believer in if you’re going to move to MFA, move to phishing-resistant MFA (https://www.dhirubhai.net/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes and https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes), otherwise, why bother?

I think some of my decisions, like how secure I think most biometric solutions are will surprise people. But most widespread biometric solutions aren’t nearly as secure as you think. Your fingerprint may be unique in the world, but the way your fingerprint (or any biometric attribute) is collected, stored, and used is not. For most of the biometric solutions in widespread use today, I bet 1 out of 100 random people’s fingerprints would match it.

That doesn’t mean all biometrics are bad or that you and I shouldn’t use OK biometrics. I use a fingerprint to swipe into my phone dozens of times a day. It’s good enough. I just want to keep the casual criminal from being able to immediately access my phone. I’m not protecting nuclear secrets on it. Sometimes OK security is good enough. My biggest beef with biometrics is that they are permanent traits. If someone steals your biometric traits how is any system relying on that trait for authentication ever going to be sure it’s really you?

I also state that stand-alone password managers are more secure than browser-based and OS-based password managers. Why? For one, browser-based password managers are frequently attacked, often by automated malware, whereas the other types, although they could be, aren’t as often directly attacked. And stand-alone password managers usually have a ton of other features that browser-based and OS-based password managers just don’t have. Stand-alone password managers are usually just better products. It makes sense. Usually, they have an entire company or division dedicated to them instead of just a team inside of a huge corporation. Focus is everything.

I love non-phishable, phishing-resistant MFA. Right now, it’s the best cost-benefit replacement for passwords. Here my list of phishing-resistant MFA that I like: https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes . I’m a huge fan of any FIDO implementation. I also like most passwordless solutions, like SQRL (https://www.grc.com/sqrl/sqrl.htm), but I prefer multifactor options over single-factor options when given a choice.

It's also important to note that any authentication solution is made up of over a dozen dependencies (e.g., network, encryption, namespace, etc.) that must be fully protected in order for the authentication solution to be as secure as it could be. And only the strongest authentication solutions can be easily bypassed by a good social engineer. Humans will usually be the weak link, not the technology.

No matter what authentication solution you are using, strong or weak, educate yourself (and/or your co-workers) about the various types of popular attacks against that type of authentication solution, and how to detect, mitigate, and report them. A little education can go a long way.

OK, I know it’s likely that I missed some authentication solution you love (or hate). I likely misranked some solution you love. Send me ([email protected] ) your comments and suggestions. I may not agree with you, but I’ll listen to you and think about what you’re saying. And if I agree, I’ll update my graphic.

Here’s to the people who put the lines in the sand.