Many smartphones use single-factor authentication, such as unlocking if you know the passcode or use biometrics. But there are many evidences proved that fingerprint or facial recognition have vulnerability, but why do smartphone company still insist on AAL1?
Because AAL1 gives several assurances that the claimant controls an authenticator bound to the subscriber’s account. It requires single-factor authentication. It is a fast identity online considered an authentication transaction target at AAL1. AAL1 permitted authenticator types, like a memorized secret, lookup, OOB device, single and multiple factor OTP device. Single-factor Cryptographic software as well.
I use almost same password across multiple sites but I feel the password can’t be guessed because its so lengthy. But sometimes when I feel my mind might not keep track of the password, I stay with one of the known password for easy access. Each time we click the forgot password on those sites, it makes the password database learn and store possible new and old password combination to the sites.
Having a lengthy password is definitely a good thing to have. Consider using MFA for your more important accounts such as your online banking. If somehow your account f0r a less important website gets hacked, your password for all your accounts would be compromised.
I used different passwords for multiple sites. However, if you are using the same password in all places, Hackers will get access to your account because a single leak of that password anywhere puts your accounts at risk, and they are different ways hackers attack your account. For example, brute force attacks. I would say use different passwords for multiple websites and different accounts and change the password every 90 days.
I agree with the points you raised Mohammed. Having unique passwords for every service is important. If your account was involved in a breach your password should be considered compromised. Attackers can use the contents of a breach to launch automated attacks trying the same username and password across multiple sites. Check out https://haveibeenpwned.com/ to see if your email or phone number has been involved in a breach.
Using a password manager with breach monitoring has helped me manage passwords across the services I use. This allows me to set unique, complex, and random passwords for each application. It also allows me to automate the changing of passwords which saves time.
I couldn’t say it better myself, Mohammed. If your account is hacked, your passwords anywhere else are compromised. At my old job, we were required to change passwords every 30 days for our systems with PII.
I use the same password for basically everything, which is definitely a problem. Thankfully most important applications have a level of 2FA, so I don’t feel completely exposed, but it’s still an issue. I’ve recently gained access to the use of a family membership for a password manager, so I am hoping to take advantage of that soon enough.
I’m big on MFA, its a great tool to use to have that extra layer of security. I am unfamiliar with password manager, can you explain what that is in detail? Thanks
A password manager is basically an application on your computer that a user can use to manage their passwords for everything. So for example it will assign a different complex password to your gmail, facebook, etc. and those passwords are then locked up behind an encrypted database that has one “master” password which can be used to access all of your apps or websites. Honestly that’s as much as I know about it until I actually take the time to set mine up, but I think that’s the gist of it.
Even though I know better, I still use the same 3 passwords for most of my accounts lol I know this is not good at all, especially as an aspiring information systems security professional. I learned about this back in 2013, yet I still haven’t implemented the knowledge into my everyday life. This is something that I am definitely going to work on moving forward, because I know it puts my many accounts at risk of being compromised.
All three NIST documents describe United States federal government computer security policies, procedures and guidelines. However, I think it depends on the nature of your business as to which document will be the most efficient for usage.
There is a consensus among security professionals that passwords are no longer safe and are expected to be phased out. With that being said, what alternative measures can be used and which one do you think is the most effective?
Passwordless options can use a combination of biometrics, hardware tokens, uniquely registered devices, or other factors that combine something the user is and something the user has.
My work has been exploring passwordless options using a combination of Window’s Hello (this uses facial recognition) along with the Microsoft authenticator app to allow users to sign into our domain. The main barrier we’re facing is the hardware deployment as this will require most devices to be upgraded. I imagine other organizations are in the same situation which leads me to believe that passwords will be around for a while longer. I can see deploying these options to high risk users, i.e. executives, initially and then rolling this out to others as hardware is refreshed.
In general, I think a combination of a biometric factor and a uniquely registered device will be the most effective solution to eliminate passwords.
At my last organization I had to use a combination of my own password & a security token to access my computer. If passwords are phased out, I expect security tokens to be a standard, along with biometric scanning methods such as fingerprint thumb drives & facial recognition devices. Obviously the risk of losing a token/thumb drives is always a high possibility, so I would say the way of facial recognition would be the most effective, at least at this point in time.
According to Beyond identity” in 2020, the Verizon DBIR reported that over 80% of data breaches involved the use of lost or stolen credentials further proving that passwords are just as insecure as they were in the 1960s.” Beyond identity provides seamless and secure passwordless authentication. https://www.beyondidentity.com/blog/history-and-future-passwords
Hi Shubham,
Boyle and Panko’s Chapter 5 section 3 addresses the future of passwords. They are expected to be phased out in the near future as a security measure; many organizations have already started to do so. We can expect authentication technologies to replace complex passwords. I would argue that the most promising seems to be biometric authentication.
I think the future of password will be more complex and long. Moreover, to access an system, an user will require not only input a password but also answer security questions.
I think biometric passwords are more secure than passwords. Biometric passwords such as fingerprints and iris are unique biometrics, unlike passwords that are easily entered by attackers. More importantly, biometric passwords actually implement multi-factor authentication, because you need to be physically present to use biometric passwords.
Lin, in my honest view, a strong lengthy password is more secure because it takes almost forever to crack if you don’t share it with anyone, but it turns out that the government can collect your biometric data without your permission by any likely means. They can’t have your password if you haven’t agreed to it, on the other hand.
In a criminal investigation involving a phone, why is withholding a passcode protected by the 5th amendment when providing biometric authentication is not? Do you agree or disagree with this precedent?
Hi Matthew,
Great question. In my Cyber-investigations, Digital Forensics, and The Law course, we have examined whether a password is considered a key or an idea. To answer your question, in a criminal investigation, the Fifth Amendment protects defendants from revealing their numeric passcodes because it could be considered a self-incriminating testimonial. In U.S. v. Kirschner (2010), a Michigan child exploitation material case, the court ruled that a password can not be compelled by grand jury subpoena because it is being recovered from the defendants mind. The precedent for this case was United States v. Hubbell (2000) where the court held that the compulsion of the defendant to produce certain documents was unconstitutional, since it required him to use his own thoughts to identify them. On the other hand, the government can compel a suspect to produce a biometric password because it is compulsion of the accused to exhibit his physical characteristics. I am not opposed to this precedent because it comes down to something you know vs something you have. If you think about it, biometrics in and of itself is not testimony.
Hi Mohammed,
From my understanding, the implicit cleanup rule is applied if none of the rules in the Policy Layer match. It is considered the “default catch-all rule” that that deals with traffic. It is important because it is set to drop all traffic that does not match any explicit or implied rules in the Layers. More specifically, when a packet arrives at the gateway, it is checked against the rules in the Top policy layer and sequentially moving down through the layer.
I think Google Authentication and company portal are the popular 2FA apps. Moreover, using a separate piece of hardware is another way to gain security of any online account.
I think this depends on your organization’s needs. If security needs are very high and money is no object, iris scans are probably the best form of biometric authentication.
The chapter in Boyle and Panko mentioned that passwords are being phased out at some companies, due to them being seen as no longer safe due to growing computer power. How would you be affected if your company was to phase out the use of passwords? Would it even be possible?
For many organizations (including the one that I work for), phasing out passwords and switching to a different method of authentication (like biometric authentication) would be extremely expensive. For organizations with higher risk tolerance, I believe the switch away from passwords will take more time.
Password policies are in place to ensure that passwords are long enough, complex enough, and changed frequently enough to be reasonably secure. Can password policies be too strict or too intense?
I believe that a password policy does have the potential to be too strict. I wouldn’t say that this is necessarily a bad thing though. It is ideal to have passwords require a capital and lowercase letter, a number, a special character and even a certain length.
In contrast people tend to forget these long passwords, so they’d write it down on a sticky note and put it someone that can be easily accessed. This makes them even more susceptible to having their accounts compromised!
Increasing the likelihood of a positive ID verification is a matter of gathering more data from the person and increasing available data sources. Fortunately, in today’s data-rich world, there are many more sources of identity information. For example, mobile data, social media information and geolocation all provide additional parameters to match against.
Identity verification validates that the individual does indeed exist. However, there remains the question, is that person really who they say they are? This question requires private information, which only that person should know. This process of analyzing confidential information for identity proofing is known as identity authentication.
Many smartphones use single-factor authentication, such as unlocking if you know the passcode or use biometrics. But there are many evidences proved that fingerprint or facial recognition have vulnerability, but why do smartphone company still insist on AAL1?
Because AAL1 gives several assurances that the claimant controls an authenticator bound to the subscriber’s account. It requires single-factor authentication. It is a fast identity online considered an authentication transaction target at AAL1. AAL1 permitted authenticator types, like a memorized secret, lookup, OOB device, single and multiple factor OTP device. Single-factor Cryptographic software as well.
How many of you use the same passwords for multiple sites?
1-5
6-10
10+
I use almost same password across multiple sites but I feel the password can’t be guessed because its so lengthy. But sometimes when I feel my mind might not keep track of the password, I stay with one of the known password for easy access. Each time we click the forgot password on those sites, it makes the password database learn and store possible new and old password combination to the sites.
Having a lengthy password is definitely a good thing to have. Consider using MFA for your more important accounts such as your online banking. If somehow your account f0r a less important website gets hacked, your password for all your accounts would be compromised.
I used different passwords for multiple sites. However, if you are using the same password in all places, Hackers will get access to your account because a single leak of that password anywhere puts your accounts at risk, and they are different ways hackers attack your account. For example, brute force attacks. I would say use different passwords for multiple websites and different accounts and change the password every 90 days.
I agree with the points you raised Mohammed. Having unique passwords for every service is important. If your account was involved in a breach your password should be considered compromised. Attackers can use the contents of a breach to launch automated attacks trying the same username and password across multiple sites. Check out https://haveibeenpwned.com/ to see if your email or phone number has been involved in a breach.
Using a password manager with breach monitoring has helped me manage passwords across the services I use. This allows me to set unique, complex, and random passwords for each application. It also allows me to automate the changing of passwords which saves time.
I couldn’t say it better myself, Mohammed. If your account is hacked, your passwords anywhere else are compromised. At my old job, we were required to change passwords every 30 days for our systems with PII.
I use the same password for basically everything, which is definitely a problem. Thankfully most important applications have a level of 2FA, so I don’t feel completely exposed, but it’s still an issue. I’ve recently gained access to the use of a family membership for a password manager, so I am hoping to take advantage of that soon enough.
I’m big on MFA, its a great tool to use to have that extra layer of security. I am unfamiliar with password manager, can you explain what that is in detail? Thanks
A password manager is basically an application on your computer that a user can use to manage their passwords for everything. So for example it will assign a different complex password to your gmail, facebook, etc. and those passwords are then locked up behind an encrypted database that has one “master” password which can be used to access all of your apps or websites. Honestly that’s as much as I know about it until I actually take the time to set mine up, but I think that’s the gist of it.
Even though I know better, I still use the same 3 passwords for most of my accounts lol I know this is not good at all, especially as an aspiring information systems security professional. I learned about this back in 2013, yet I still haven’t implemented the knowledge into my everyday life. This is something that I am definitely going to work on moving forward, because I know it puts my many accounts at risk of being compromised.
The Access controls from the NIST SP 800 -63-3, NIST SP 800 -63A, NIST SP 800 -63B which control is much more effective and efficient?
All three NIST documents describe United States federal government computer security policies, procedures and guidelines. However, I think it depends on the nature of your business as to which document will be the most efficient for usage.
I agree with Bryan . It’s all depend on the nature of business and the implement will be based on budgets.
There is a consensus among security professionals that passwords are no longer safe and are expected to be phased out. With that being said, what alternative measures can be used and which one do you think is the most effective?
Passwordless options can use a combination of biometrics, hardware tokens, uniquely registered devices, or other factors that combine something the user is and something the user has.
My work has been exploring passwordless options using a combination of Window’s Hello (this uses facial recognition) along with the Microsoft authenticator app to allow users to sign into our domain. The main barrier we’re facing is the hardware deployment as this will require most devices to be upgraded. I imagine other organizations are in the same situation which leads me to believe that passwords will be around for a while longer. I can see deploying these options to high risk users, i.e. executives, initially and then rolling this out to others as hardware is refreshed.
In general, I think a combination of a biometric factor and a uniquely registered device will be the most effective solution to eliminate passwords.
At my last organization I had to use a combination of my own password & a security token to access my computer. If passwords are phased out, I expect security tokens to be a standard, along with biometric scanning methods such as fingerprint thumb drives & facial recognition devices. Obviously the risk of losing a token/thumb drives is always a high possibility, so I would say the way of facial recognition would be the most effective, at least at this point in time.
What is the likely future of passwords?
According to Beyond identity” in 2020, the Verizon DBIR reported that over 80% of data breaches involved the use of lost or stolen credentials further proving that passwords are just as insecure as they were in the 1960s.” Beyond identity provides seamless and secure passwordless authentication.
https://www.beyondidentity.com/blog/history-and-future-passwords
Hi Shubham,
Boyle and Panko’s Chapter 5 section 3 addresses the future of passwords. They are expected to be phased out in the near future as a security measure; many organizations have already started to do so. We can expect authentication technologies to replace complex passwords. I would argue that the most promising seems to be biometric authentication.
I think the future of password will be more complex and long. Moreover, to access an system, an user will require not only input a password but also answer security questions.
Do you think biometric passwords more secure then credential (i.e. 9-12 digit) passwords? What are the pros / cons of both?
I think biometric passwords are more secure than passwords. Biometric passwords such as fingerprints and iris are unique biometrics, unlike passwords that are easily entered by attackers. More importantly, biometric passwords actually implement multi-factor authentication, because you need to be physically present to use biometric passwords.
Lin, in my honest view, a strong lengthy password is more secure because it takes almost forever to crack if you don’t share it with anyone, but it turns out that the government can collect your biometric data without your permission by any likely means. They can’t have your password if you haven’t agreed to it, on the other hand.
In a criminal investigation involving a phone, why is withholding a passcode protected by the 5th amendment when providing biometric authentication is not? Do you agree or disagree with this precedent?
Hi Matthew,
Great question. In my Cyber-investigations, Digital Forensics, and The Law course, we have examined whether a password is considered a key or an idea. To answer your question, in a criminal investigation, the Fifth Amendment protects defendants from revealing their numeric passcodes because it could be considered a self-incriminating testimonial. In U.S. v. Kirschner (2010), a Michigan child exploitation material case, the court ruled that a password can not be compelled by grand jury subpoena because it is being recovered from the defendants mind. The precedent for this case was United States v. Hubbell (2000) where the court held that the compulsion of the defendant to produce certain documents was unconstitutional, since it required him to use his own thoughts to identify them. On the other hand, the government can compel a suspect to produce a biometric password because it is compulsion of the accused to exhibit his physical characteristics. I am not opposed to this precedent because it comes down to something you know vs something you have. If you think about it, biometrics in and of itself is not testimony.
what is the implicit cleanup rule, and why is it important?
Hi Mohammed,
From my understanding, the implicit cleanup rule is applied if none of the rules in the Policy Layer match. It is considered the “default catch-all rule” that that deals with traffic. It is important because it is set to drop all traffic that does not match any explicit or implied rules in the Layers. More specifically, when a packet arrives at the gateway, it is checked against the rules in the Top policy layer and sequentially moving down through the layer.
Which access control requires the company to create a public key?
What do you think is the best form of two-factor authentication and why?
I think Google Authentication and company portal are the popular 2FA apps. Moreover, using a separate piece of hardware is another way to gain security of any online account.
What do you believe is currently the most effective form of biometric authentication (fingerprint, facial, iris, etc.)?
I think this depends on your organization’s needs. If security needs are very high and money is no object, iris scans are probably the best form of biometric authentication.
Why are Phishing attacks so successful?
Humans tend to be the weakest link in cyber security. We tend to trust each other and make exceptions where machines/software wouldn’t.
The chapter in Boyle and Panko mentioned that passwords are being phased out at some companies, due to them being seen as no longer safe due to growing computer power. How would you be affected if your company was to phase out the use of passwords? Would it even be possible?
For many organizations (including the one that I work for), phasing out passwords and switching to a different method of authentication (like biometric authentication) would be extremely expensive. For organizations with higher risk tolerance, I believe the switch away from passwords will take more time.
Password policies are in place to ensure that passwords are long enough, complex enough, and changed frequently enough to be reasonably secure. Can password policies be too strict or too intense?
I believe that a password policy does have the potential to be too strict. I wouldn’t say that this is necessarily a bad thing though. It is ideal to have passwords require a capital and lowercase letter, a number, a special character and even a certain length.
In contrast people tend to forget these long passwords, so they’d write it down on a sticky note and put it someone that can be easily accessed. This makes them even more susceptible to having their accounts compromised!
What places are considered sensitive areas in a company access control?
Can you provide at least one example of identity proofing?
Joshua,
Increasing the likelihood of a positive ID verification is a matter of gathering more data from the person and increasing available data sources. Fortunately, in today’s data-rich world, there are many more sources of identity information. For example, mobile data, social media information and geolocation all provide additional parameters to match against.
Identity verification validates that the individual does indeed exist. However, there remains the question, is that person really who they say they are? This question requires private information, which only that person should know. This process of analyzing confidential information for identity proofing is known as identity authentication.
How to make an effective and accurately access control policies without hurting or preventing business operating?