Usability is Security: The Future
In my earlier post, we covered some lessons the security community has learned about human behavior in the last several decades. Here’s a quick recap of the high-level lessons:
Users expect security without having to work for it -- not due to laziness, but because it’s an expected feature of the service product.
Users engage best with a relatively easy step during a period of already-expected friction, e.g. setting up a new device.
Users expect security to be inherent in the device, regardless of what they’ve actually configured.
In an unexpected period of friction of a product (oAuth, permissions, etc,), user engagement will be lower than other times. User education and engagement is crucial at this time.
So now that we’ve learned these lessons, how is the security community planning on integrating these lessons going forward? What new things are both technologically sound and relatively frictionless for the user?
Passwordless Authentication & WebAuthn
Universal 2nd Factor (U2F) was popular in part because it was easy, but it also used the battle-tested security of public key cryptography. If you’re unfamiliar with the mechanics of public key cryptography and would like a non-technical primer, here’s an excellent explanation.
U2F became a good second factor in a world where the primary factor was becoming increasingly flawed. To quote Randall Munroe, our first factor, the password, was becoming something “hard for humans to remember and easy for computers to guess.”
As U2F became popular and easily available, the security community began examining the technology as an option to replace our primary factor instead of supplementing it. This has manifested primarily in the WebAuthn spec, which is already implemented within Chrome and Firefox, with Edge and Safari on the way.
WebAuthn takes the security of U2F and makes it more accessible and familiar. It supports using hardware tokens similar to U2F, but it can also use the security hardware already common in Android, iOS, Mac and Windows devices.
As Webauthn becomes widespread, you’ll create your online accounts with biometrics and log in the same way, no password needed. Your biometrics won’t leave the device; the actual authentication is handled by secure hardware in the device itself. The biometric will only be used to decide whether to allow or deny the authentication attempt. This will be one of the easiest authentication methods ever made available that’s still backed by good security practices.
In fact, you can test an early implementation of this now if you have an Android device or a Mac with Touch ID. Use Chrome and go to http://webauthn.io and select the TPM option.
This is still an area of ongoing research, where engineers are currently debating the best way to handle things like account recovery, but the groundwork for a passwordless future has been laid.
While passwordless authentication & WebAuthn have far-reaching implications for consumer and enterprise authentication, a similar revolution is happening in enterprise authorization and networking known as zero-trust networking (ZTN) - also referred to in Google’s BeyondCorp and de-perimeterization.
Traditionally, a lot of authorization has happened at “Layer 2” and “Layer 3” so users are able to access services if they have physically connected to their office network.
Multiple offices needing to connect together has led to virtual private network (VPN) usage becoming widespread at the networking level, i.e., the network managers would connect offices over a VPN so that from an employee’s perspective, a New York City office and a San Francisco office would be the same network. As laptops and working from home became more common, a consumer VPN application achieved the same effect. Employees logged into an app on their computer and were connected as if they were physically connected in the office.
As this happened, the consumer world was solving a similar issue in a very different way. For accessing an early web service like Hotmail, the creators didn’t want users to have to install new software, so they had users enter their credential into the software they already had - their web browser. They started handling authentication and authorization in the Application Layer itself.
As users become more mobile and started conducting work on mobile devices such as Blackberries, and eventually iOS and Android devices, it was clear a new method of both authentication and authorization for enterprises was needed. Google began implementing these security procedures and published several papers on their BeyondCorp effort.
Enterprises are moving from authorizing at Layers 2 and 3, to the Application Layer where it is easy to authorize a user per service, not just the network as a whole (or even network segments).
As enterprises increasingly move toward the goal of ZTN, more procedures happen when a user is authorized. The user logs in and their credentials are checked as usual, but the authentication and authorization systems can also check the health of the device the user is using, their location and history for anomalies, and more. With all of this info, access can be allowed or denied with a greater degree of granularity.
In an ideal implementation of a ZTN network, all connections are authorized every time they’re initiated. All connections are proxied through a proxy server. The proxy server handles the authentication and authorization of the request. The proxy can use multiple data points -- most commonly from a policy engine -- to make its decision.
While this adds a great amount of information and security to the systems used by enterprises, it also makes the user experience vastly different. The employee doesn’t have to use a special app or have a prerequisite for using a corporate system. They simply go to the URL of the application they want to use and log in the same way as they do using a consumer app. The ZTN features that happen are mostly transparently to the user.
As information security has progressed, one of the major changes has been a shift in responsibility. While the user’s own security was and still is ultimately their responsibility, developers, IT and security teams are taking more ownership of the process than ever before.
Users are regularly exposed to phishing, social engineering, malicious applications, compromised sites, apps and extensions. Even completely “secure” implementations are so confusing and error-prone that the user explicitly allows things that are not what they intended.
The security community is taking on larger systemic issues of user psychology and social engineering attacks, and protecting users from them, not just enabling them to protect themselves.
As we go forward, passwordless authentication and Webauthn will grow in usage to better protect users against more psychological threats such as phishing. In enterprises, zero-trust systems will protect the employees, the company and the data belonging to the customers of the company.
As new systems are developed, security, both technological and psychological, will be considered from the beginning and built into the design of products.