By Benita Haftorn Hildonen and Andreas Faafeng
In 2004 Bill Gates famously predicted the death of passwords. Almost two decades later the migration away from password-based authentication to more secure alternatives on the web remains slow. The industry’s main response has been technical solutions such as multi-factor authentication using one-time passwords (OTP), or codes delivered with SMS. Selected sectors such as finance and health care has resorted to hardware-based solution, an expensive exception not within reach for the average service provider.
While we wait for the first year-on-year data breach reports for 2020 to be published, we expect trends from previous years to continue: Massive exposure of passwords and personal data with marginal consequences for those responsible. Not investing in security simply pays off.
Password managers such as LastPass and 1Password are a popular and secure response. While reducing risk of choosing weak passwords and discouraging password reuse, they are ineffective in preventing breach due to their client-side only nature and are as such not fully addressing the password breach problem.
The Web Authentication (WebAuthn) is even more secure, but it still requires the operating web site to keep secrets on behalf of its users. This leaves a theoretical and practical attack surface the industry cannot ignore. The multitude of technical solutions is the IT equivalent of Las Vegas; blinking lights and fast city pace, but no long-term sustainability.
Technically, the IT industry knows very well how to solve the authentication problem. However, coming up with attractive, standards-based solutions and drive adoption in practice has proven to be difficult in practice. Secure Quick Reliable Login (SQRL) is the only known and readily available, low-friction technical solution that do not impose the burden of web sites having to keep authentication secrets on behalf of users. Using public key cryptography, it completely eliminates the need for web sites to keep secrets, effectively eliminating the confidentially factor from the equation. Adoption is limited, and as with alternative technical solutions, the migration to it is disappointingly slow.
With its 3-year anniversary coming up, the EU GDPR legislation has resulted in fines totaling €300M for failure to properly protect personal data of citizens. Recently, the dating app Grindr has been fined 100m NOK (£8.6m) by the Norwegian Data Protection Authority for sharing highly personal information with advertisers.
This marks a sea change in how business and government should collect, process and share personal data of users and citizens. As far as we know, for the first time, a business is fined for collecting and sharing data rather than failure to protect the data.
Whether or not a password is personal data is context dependent. Can it be related to an identified or identifiable person? Then it is personal data. If the password is salted and hashed, and stored separate from your personal details, so that it cannot be traced back to you nor will no persons sharing the same password end up with the same hashes? Then perhaps your password is not personal data.
Either way the password has two 2 distinct properties: It can serve as a protection mechanism (a key) for your personal data, and it can itself be personal data (if stored with your personal data or if indeed you use your name or other personal details as your password). This double risk suggests we should employ the maximum principle and protect it as if the most stringent requirements apply.
We propose a legislative approach to the password breach problem inspired by the relative success of the GDPR. While we wait for low-risk authentication technology to be adopted, a legal approach based on liability for user data could be effective in moving the IT industry forward.
The management of passwords is not exempt from the general security and protection requirements of GDPR (e.g. as defined in article 32 https://gdpr-info.eu/art-32-gdpr/). However, violation of these protection seldom leads to reaction or consequences.
Firstly, to explicitly define passwords as personal data would in our opinion be necessary and sufficient to create the necessary awareness of the protection needs of passwords. Secondly, it will adjust our common expectation for legal reactions if those protections are not in place. It would largely shift the legal and economic rules of play and create sufficient incentive for investing properly in password security.
To store a password is an obligation no one should take lightly. Rick Ashley´s 1987 hit was perhaps all about passwords:
– Never gonna give you up.
Photo 1: Rick Astley : Live in Singapore, 3 Aug 2008, Attribution: https://www.flickr.com/photos/chinnian/
Photo 2: Las Vegas. Attribution: https://www.flickr.com/photos/that_chrysler_guy/7161539179/