Last time, I described a (hopefully) frightening scenario where a user’s entire online life could be laid bare through a single insecure Facebook login. There are many layers to the problems that give rise to this situation. We use network that are not inherently secure; we develop relatively secure communications protocols, but don’t use them universally, or effectively; users typically don’t know how to verify the security of their systems. Today I’d like to introduce the collective action problem of using email addresses and passwords as a universal authentication system.
When it comes to security breaches, there is a question about where to assign blame. We commonly hold that designing a secure system is the responsibility of the system’s designer. The designer is a technical expert. They have the expertise and control to design a secure system. Not only does a user not have access to the code that makes the system secure, there is no way that the user could make heads or tails of what was going on.
Undoubtedly, when Facebook uses an insecure login system, they bear the responsibility. If this results in their users’ communications being viewed by third parties, this is Facebook’s fault. If it also results in their users’ authentication credentials being compromised, Facebook remains to blame. Whatever damage is done on Facebook by this malicious intruder, it is Facebook’s fault, and Facebook’s responsibility.
However, when the damage spreads beyond Facebook, the situation becomes somewhat murkier. Gmail uses a secure logon system. It is not possible to access Gmail without SSL, except by explicitly changing a setting that has warning signs all over it. Even then, it is not possible to use the sign-in page without encryption. So what happens when a malicious adversary captures the logon credentials of Facebook user firstname.lastname@example.org? The adversary – let us call her Mallory, because it is customary – now uses these credentials to sign in to Alice’s Gmail account.
One might initially blame the user, after all, it is their shameful password reuse that has allowed a Facebook security vulnerability to become a Gmail one. However, this analysis is short-sighted. The user is a predictable part of the security equation, and one which every systems designer should take into account. Users will always reuse their passwords, easily disclose them, and never check certificates. Security should be possible in spite of users, not in cooperation with them.
Facebook is clearly the more proximally culpable. Ignoring standard security practices, they have left themselves and their users open to a complete attack. This is totally unacceptable. However, Gmail isn’t off the hook either. They know that users will re-use passwords. The insecure login might be Facebook, Twitter, insecure IRC, or a porn site membership. Whatever it is, Gmail knows that there’s going to be a chink in the password system. Now, in the real world, Gmail uses all sorts of security measures, to protect users, far beyond the industry standard. But all these after-the-fact add-ons are epicycles: accoutrement designed to compensate for the fundamental failure of the system.
What’s the fundamental failure? It’s the username and password. Given user behaviour, it’s not possible to make a secure system based around entering a full username and password on webpages. Interface designers have known this for a good long time. However everyone knows what usernames and passwords are. Everyone uses them continually online. They are a component of comfortable security theatre – making us feel safer, but actually very good at what they do.
If this application of usernames and passwords are known to be so flawed, why do we continue to use them as our ubiquituous authentication scheme? More importantly, why did we ever start?