When passwords are not enough

When passwords are not enough

An identity theft epidemic looms in South Africa and passwords will not be enough to protect you. But there is a solution, writes ARTHUR GOLDSTUCK.

South Africans have to brace themselves for an identity theft epidemic, after a website exposed 60-million South African identity numbers last year, along with extensive personal details (see https://bit.ly/SAbreach).

Suddenly, it is not enough to choose complicated, hard-to-guess passwords for online services like Internet banking, email, backup sites and cellphone services. In many cases, one merely has to confirm a range of personal details – exactly like those exposed in the breach – to change a password and gain access to a website containing financially sensitive information.

It is for this very reason that information security experts have for many years recommended something called two-factor authentication (2FA). It means that, to access a site or service, one needs a physical form of authentication as well as digital verification like user names and passwords.

The typical solution is to use one’s smartphone, usually via a one-time password e-mailed or sent by SMS. While this meets the technical definition of two-factor authentication, it is useless if identity theft has been used to have a new SIM card issued with your number.

Enter U2F, or Universal Second Factor. Jointly developed in 2012 by Google and a company called Yubico, it was adopted a year later by an industry body, the FIDO (“Fast IDentity Online”) Alliance, as a standard for two-factor authentication.

According to Yubico, it “enables Internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed”. You still need separate passwords for each site, but a separate device validates them.

The main problem with the solution in South Africa has been the absence of suitable U2F devices. That, in turn, has largely been a factor of service providers like banks not embracing the standard.

But now, the game has changed, First, a growing number of major international organisations have built it into their security options, with Google, Facebook and Dropbox, among other, all having it as an option.

Secondly, and most important, a South African company has built the first home-grown U2F-compliant solution.

It’s called SOLID wekKey, and it looks like a small USB flash drive. It secures several hundred passwords with a single overarching password. A small, downloadable password manager application allows the user to transform all these passwords into strong passwords that are almost impossible to guess or crack.

It was developed by Ansys, a South African company based in Centurion. Ansys has made a name for itself manufacturing custom security products for clients, ranging from small businesses to large enterprises, across the defence, aerospace, industrial and telecommunications sectors. With webKey, it is venturing into designing and marketing its own products for the consumer market.

“The general public struggles with basic account security,” says Ansys CEO Teddy Daka. “Year after year, we see that easy to crack passwords such as ‘123456’ or ‘password’ are still in common use, and individuals rely on just one or two memorable passwords or passphrases to protect all their online accounts.”

He reminds the public that, while security experts recommend the use of long passwords made up of uncommon phrases, and that every account must be protected with a unique password, people tend to use the same simple credentials all the time. As this writer has pointed out many times, when a user name and password is stolen from one site, it can often be used across multiple services.

The real issue is that people tend to compromise security for the sake of simplicity. The more secure a solution, usually, the more complex, and therefore the less popular. However, we have entered an era when hackers are going after the big fish and the small alike. When it is as easy to break into a million small accounts as one big one, no one remains safe. That means the simple solutions are no longer secure enough.

“People use easy to remember passwords because they choose convenience over security,” says Daka. “This shouldn’t come as a surprise. We shouldn’t expect people to remember passwords that are made up of 25 random characters for an account they need to access every day.”

However, products like SOLID webKey do the remembering for the user. Yes, you can build complex pass phrases into a password locker on your smartphone, but the locker is as vulnerable as the phone itself. Keep the password on a separate device, and one extra barrier has been placed between the hacker and your peace of mind.

How does it work?

SOLID webKey uses a combination of physical password vault, contained on a USB device, and a small industry-standard software application called KeePass.

The password vault is not part of the FIDO specification, but was added by Ansys, which has applied for a patent for this aspect of the solution.

The full name of the application, KeePass Password Safe, sums up its role perfectly: it is the equivalent of placing your valuables in an industrial-strength safe. Of course, as Hollywood teaches us, no safe is completely foolproof, but this kind of solution gives the user a chance against both random hackers and the professionals looking for easy targets.

Typically, hackers would use malware, or infected software, delivered via cunning “phishing” email and other attacks, to steal passwords. The SOLID webKey guards against this by requiring a physical tap of the USB device before passwords can be accessed. Because the password is never typed in, but delivered via a hardware “token”, it can’t easily be intercepted.

This is the basis of both two-factor authentication (2FA) and the Universal Two-Factor (U2F) standard promoted by the FIDO Alliance.

The main obstacle to the wider uptake of U2F is the fact that it remains a mystery to most consumers, and even services like Gmail and Facebook – which come under regular, sustained attack – do not make a special effort to highlight the option. However, as the cyber war intensifies, U2F is expected to move to the front and centre of such sites’ efforts to protect their users.

“Two-factor authentication is rapidly becoming the norm, and is a proven way to secure accounts,” says Daka. “Through SOLID webKey, we hope to make it easier to use and therefore more popular with South Africans who want the best in online security.”



mandy B.

Founder @ FSintel | Entrepreneur, Procurement Innovator

6 年

ORDERING for all employees, let tech be the author of security and NOT PEOPLE x THANK YOU THANK YOU

回复
Ravin Sanjith

Embarking on a career-refresh; helping shape a future where tech enhances every element of the human experience. DM me if you have fun ideas in tech-centric CX Xformations; Auto/Mobility & New Energy piques my interest

7 年

Thanks for this review Arthur. The much prophesized demise of the password is still a long while away, and 2017 exposed the reality of large scale data breaches. This great South African innovation will go a long way to plugging the gap. #IAuth

要查看或添加评论,请登录

Arthur Goldstuck的更多文章

  • Old School is history

    Old School is history

    As South Africa goes into lockdown, the quest begins for new ways of teaching and learning, writes ARTHUR GOLDSTUCK It…

    6 条评论
  • From bots to Slack, all change for financial software

    From bots to Slack, all change for financial software

    It’s not often that actors like Ashton Kutcher and Gwyneth Paltrow have to compete for attention with accountants, but…

    5 条评论
  • Irony in attack on Uber

    Irony in attack on Uber

    The road outside the Sandton Gautrain station in was closed by police today after meter taxi drivers attacked Uber…

    10 条评论
  • Big story lurking in Vodacom results

    Big story lurking in Vodacom results

    There's a massive story lurking in the Vodacom 2016 annual results announced today. Aside from South African…

    16 条评论
  • Meeting Terry Pratchett ... and his gadgets

    Meeting Terry Pratchett ... and his gadgets

    In tribute to Terry Pratchett, who passed away yesterday, we've republished an interview I conducted with him for…

  • From digital divide to attitude divide

    From digital divide to attitude divide

    How developed and developing countries diverge on technology views. From a 12-country study commissioned by Microsoft.

  • Nadav's game-viewing gadgets

    Nadav's game-viewing gadgets

    Nadav Ossendryver, founder of Latest Sightings, the most popular South Africa-based YouTube channel (now past…

    1 条评论
  • Gadgets that will connect you in 2015

    Gadgets that will connect you in 2015

    The new gadgets that will keep you connected - and connect to each other - in 2015. My Gadget.

    2 条评论
  • All the Gadgets of the Year

    All the Gadgets of the Year

    See my full series of columns on the Gadgets of the Year for 2014 - high-end and low-end, fun and serious, automotive…

  • Smartphones of the Year (high-end)

    Smartphones of the Year (high-end)

    My choice for high-end smartphones of the year (Apple, Samsung, Sony, Alcatel, Huawei, Hisense, BlackBerry, LG, HTC…

    2 条评论

社区洞察

其他会员也浏览了