Why passwords are not enough?


When it comes to computing, the concept of “logging in” has been around since approximately 1961, when in the days of boxy mainframe computers, a clever engineer came up with the idea of password-protecting the machine by issuing a login prompt. The first operating system to utilize this function was Compatible Time-Sharing System and it was nothing like Windows, Mac or Linux today. Yet the idea stuck around. During the development of Unix – mostly in the 1970s – the login  idea was borrowed and a bit expanded to include separate directories for each user, thus making the machine a true multi-user device. With time and the growing popularity of Unix-derived systems in server environments, the login & password combination idea became the de-facto standard in how the majority of Internet users still authenticate themselves today.

Good, but archaic idea

The idea of utilizing the username & password combo to access different files and services has been a staple of Internet services for decades. This simple idea allows a single company, or device, to offer services to virtually unlimited number of users, while maintaining their privacy at the same time. So far so good. 

The advent of the ubiquitous Internet, however, changed everything. In late ‘80s and early ‘90s desktop computers were mostly stand-alone machines, sometimes connected to an internal business or academic network (LAN) and rarely connected to the Internet at large. Even when “on-line”, they were connected most likely by a modem, for brief periods of time. Broadband was out of reach for the majority of the population and utilizing online services for things such as shopping, banking or conducting official business was reserved for only a select few.

Fast-forward a few decades later, it appears that the Internet is everywhere. Not only has the number of Internet users sky-rocketed, but also the hardware has drastically changed. Today, an  average person of working age in the developed world most likely possesses several Internet-enabled devices, and some (if not all) are connected 24/7 to some type of a broadband service. 

In sum, the number of permanently Internet-connected devices has sky-rocketed in the same way, as the number of Internet users. More people are getting online everyday and the world of Internet services is thriving. Yet most of these devices and services is still protected by the same, ages-old login & password scheme. It’s no wonder that hackers have long ago noticed this inconsistency and are using it as a window of opportunity to make a quick buck.

Problematic username & password

The idea of utilizing login & password combo to access services or resources is not a bad idea in itself. However, given the number of ways this information can be stolen, it’s a very unsafe method of authenticating a user in a modern, Internet always-on environment.

First of all, there’s the malware:

  • Keyloggers can be used to silently copy all data entered through the keyboard
  • Spyware can be used to monitor user’s behavior, often through taking screenshots or sending traffic data to the hacker
  • Backdoors flat-out allow hackers to execute scripts on victim’s machines

Second, social engineering attacks are also a very efficient way of illicitly obtaining usernames and passwords:

  • Phishing emails can be used to manipulate the victim to reveal their authentication credentials or to install malware
  • Spear phishing attacks utilize more sophisticated ways of coercing a victim to reveal their current login and password, such as by asking the victim to “reset” their current credentials on platforms they already utilize
  • Whaling targets C-level executives through phishing, smshing, vishing and various other deception methods

Third, there’s also packet sniffing – which is basically intercepting traffic en-route, password sharing (human error), or the possibility of an Internet service flat-out being hacked, as a copy of the username & password combo also resides on remote servers of each service provider. 

2FA or Two-Factor Authentication

The main problem with solely utilizing username & password for authentication purposes has to do with the fact that there is a single point of failure. If one device is compromised – such as a smartphone or a laptop – all accounts on that device are compromised as well.

2FA (Two Factor Authentication) tries to address this problem.  Rather than relying on a single machine for all authentication purposes, 2FA tries to break up the login process into two steps, each requiring a different piece of physical hardware. The idea is simple: it’s relatively easy to hack one computer, however, it’s quite difficult to compromise two devices at once.

2FA Examples

Online banking transactions are often secured by sending an SMS verification code

One of the most widely-used methods of two-factor authentication has been the SMS (text message) option. In fact, the European banking sector has been utilizing this method for nearly a decade. 

When a user wants to log in, they’re presented with the traditional login & password prompt. Upon successfully authenticating, a text message is sent to a previously-configured telephone number. This message contains a one-time (usually numeric) code, which the user has to type into the website to complete the login process. When it comes to online banking, this process can be repeated whenever necessary – for example, when approving a funds transfer or changing the password.

This method, albeit much safer than plain username & password, is still susceptible to being circumvented. One of the ways hackers can circumvent this 2FA method is SIM jacking, during which the telecom operator is tricked into assigning the telephone number to a new SIM card, therefore re-routing all calls and text messages to a new device. Although rarely successful, some hackers managed to deploy a successful social engineering attack that won the confidence of a telecom operator and briefly allowed a second SIM card to take over a number. Even if this trick worked for only a brief period of time (usually a few minutes or hours until the rightful owner realized their telephone no longer works), it was enough to SMS-approve a few transactions. The second method is utilizing a social engineering attack aimed at the rightful owner of the telephone number. This usually involves a confidence trick through e-mail or SMS in which the victim is duped into forwarding the one-time code to the hacker.

One-time access codes are a good alternative, provided they’re not in plain sight or stored on a compromised computer

Another widely-used method is a one-time access code list. This method of two-factor authentication is very similar to the SMS method, as it also relies on one-time codes (passwords) which need to be entered in addition to the username & password combo. 

Upon first registering for a service, a user is prompted to download or print a long list of one-time codes, usually numbered for easier reference. Upon logging in to a service, the user is instructed to also enter a randomly-picked one-time code from their list, in addition to the usual login and password entry. The reason for randomness is assurance in case someone manages to copy a portion of the list. By asking for a random, rather than sequential code number, the attacker cannot easily authenticate next transactions by going down the list.

This method, unfortunately, can be circumvented as well. If a list of one-time codes resides on the same computer which is used to enter username & password – such as in form of a text file – this method is practically useless. A printed list of one-time codes can also be lost or stolen, which once again defeats the point of this method. Paradoxically, however, the good news is that circumventing this method is done primarily through exploiting a human error (losing a list or keeping it on the same computer). As such, if human error is eliminated, this method can be quite secure.

Authentication apps are becoming more common, although they differ widely

Some companies have opted in to utilizing smartphone apps as a method of two-factor authentication. This method does not differ much from the first example – the SMS method. The main difference is that an authenticating application is used on the user’s smartphone, rather than a text message, and hence, the user does not have to type in any codes on a physical keyboard.

Authentication apps differ from vendor to vendor. Some may simply have a “approve” button (or its equivalent) which will only become active when a proper username and password combination has been entered on a website. Once the user clicks “approve” the login process continues. Other apps may utilize generating a QR code, which will need to be scanned by presenting it to a webcam, or verifying user’s identity through fingerprint or a face scan. There’s always the option of sending one-time codes (just as in the case of SMS 2FA), the only difference being the method of receiving the code – through the app, rather than a text message.

A U2F USB key is the latest and most secure solution so far

One of the latest trends, and mostly popular due to Google’s PR campaign in this field, is utilizing a U2F hardware USB key, such as YubiKey. This special piece of hardware connects directly to authentication servers, bypassing the need for users to enter any further information.

When the user properly enters their username & password combo into a website, they’re asked to plug in the USB key and optionally push a physical button on the device. Upon doing so, the authentication servers directly access the USB key and securely transfer additional authentication credentials. Since the transfer is encrypted and login information is strictly related to a unique hardware device ID of the key, there’s no easy way to replicate this method of authentication. In fact, Google claims it has eliminated all successful phishing attacks by using this method and has been utilizing it since 2017. 

No technological solution is safe without knowledge

Using two-factor authentication is by far a much safer choice than still relying on ages-old username & password combo. Hacking two systems at once – for example, a smartphone and a personal computer – is a very difficult task to accomplish. The same can be said about SIM jacking: it can be done, however, it’s not an easy process.

SIM jacking involves tricking a telecom operator into migrating a number to a new SIM card

Nonetheless, even two-factor authentication can be compromised, especially when the user unknowingly aides the hackers. Various social engineering attacks exploit human nature and good will, by tricking victims into divulging personal information or forwarding one-time codes to the attackers. Technology can be also exploited, as nothing really stands in the way of a hacker creating a copycat website which appears legitimate, copies login information (including a one-time code) and forwards it to the rightful website, correctly logging in the user in the process.

The U2F USB keys are perhaps a step in the right direction. However, experts are discussing the possibility of keys being physically stolen or utilizing various man-in-the-middle social engineering schemes to circumvent the technology. All-in-all, it comes down to the user not unknowingly becoming an internal actor who helps the attacker from within. Those, unfortunately, account for as much as 34% of data breaches according to Verizon’s 2019 Data Breach Investigation Report.

As such, the best way to prevent data leaks is to address the human error problem. Whether circumventing the ages-old username & password combo, or breaking through the secondary 2FA defense line, nearly always there’s the element of a successful social engineering attack. 

Those especially vulnerable to whaling attacks – such as managers and C-level executives – might want to consider bespoke VIP cybersecurity protection services. These services consider each individual and organization individually by assessing cybersecurity needs, risks, infrastructure weak points and incorporate a component of learning/advisory in the process. The end-result is hardened devices and sharp eye when it comes to possible attacks.

For the everyday Internet user and a corporate employee working with sensitive data, the best solution is education and raising awareness of current methods of social engineering attacks. By learning how hackers trick victims into divulging sensitive information, employees are able to spot the red flags before they commit to sending any information. If IT departments have some spare time on their hands, such training can be developed in-house. For those short on time, there are complete cybersecurity training options available in-person or on-demand.

Rate the article: