Passwords are only one piece of the puzzle

Something I’ve argued for in the past is the need to not treat passwords as an all or nothing access. It’s not binary. It’s shouldn’t be grant or not grant; on or off. Passwords are just one piece of the authentication puzzle. Someone entering a password should be viewed with more confidence that they are who they say they are but not with complete confidence. When analyzing access to information, a more nuanced analysis should be done to assess the sensitivity of the information and the need for confidence in authentication. If you need X confidence, require X level of authentication. If you require Y confidence, then you need Y level of authentication.

Many websites require you to log in (again) if you’re accessing sensitive information or making a significant account change (such as changing an email address on the account). This is because the fact that someone is logged in only leads to small level of confidence that they are who they say they are. After all someone could log into a public terminal and walk away allowing someone else to sit down and the computer. Or a hacker could be using a tool such as FireSheep to impersonate someone’s web session on an public network.

Joseph Bonneau has a related post on Light Blue Touchpaper discussing that authentication is becoming a machine learning problem.

Multi-factor authentication is really a method for adding confidence in your authentication, but it still should never be viewed as 100% or 0%.  If you’ve ever forgotten your password, you know that your failure to remember it is not proof that you aren’t who you say you are. Similarly, knowing your password is not proof that you are. It just tends to suggest one way or the other. Financial websites are the most common ones adopting other signals of authentication, such as your user agent or a previously placed cookie on your machine. Facebook also looks to see that you’re in the same country you’re usually in, or that you’re using a browser you’ve used in the past. If not, they place additional hurdles before you can access your account. If you’ve ever phone your credit card company from a phone they don’t have on record, you will have noticed they require additional verification.

As you develop your applications, you should identify critical information or controls that may require additional confidence. Then look for methods of increasing that confidence: requiring additional information from the user, verifying keyboard cadence, identifying IP address, user agents, biometric requirements, FOBs or dongles, etc.