Why Facebook, Google and Apple have got authentication wrong

Opinion by Thomas Bostrøm Jørgensen

We've known that the password hasn't been secure for quite some time.

We've known that the password hasn't been secure for quite some time.

Salt your hashes any way you please, reject dictionary words, demand numbers and punctuation – it's all, ultimately, in vain. All the user has to do is scribble their password next to their PC, or reuse the same password, and the game is up.

More and more organisations are embracing two-factor authentication, using not just a password, something you know, but also another factor, something you have, to confirm identity. The idea is that someone with nefarious intentions is far less likely to gain both of these. A shoulder-surfer will only gain your pin before slinking away, while a bag-snatcher may get away with your phone, but neither of these will give the criminal access on its own.

The big technology behemoths and retail banking giants know this, and they have either launched or are planning to launch two-factor authentication using one-time passwords from hardware tokens or SMS. Google, Apple and Facebook have all either launched a scheme such as this, or are planning one. They are making a costly mistake.

SMS and hardware token-based solutions are expensive. Every hardware dongle sent to a user, and every text message sent with a code adds additional expense. At any kind of scale, that's a huge drain on resources. Hardware tokens may not have the same cost for each use, but manufacture and distribution of these tokens is costly. Add in the cost to replace broken or misplaced tokens and it's an even larger on-going cost.

If the hardware tokens are ever compromised, the time – and reputation – lost in replacing these is huge. In 2011, RSA had to replace 40 million SecurID tokens after a hacking attack. Even if each only costs pennies, that's a massive cost in manufacture and distribution.

They can, perhaps, afford to make this mistake. Google in particular have a history of launching ill-considered products such as Wave and Buzz, but most companies cannot afford to take the same risks.

At the moment, there are two options to deploy this level of security – pay upfront (prohibitively expensive), or build it yourself (requires expertise and lots of resources – not everyone can build PingIt like Barclays). This means that unless you can build or pay up front you cannot offer the highest level of security to customers – especially smaller businesses and start-ups. That's not fair.

The issue in the long term is that people just don't like these solutions. Making someone carry around an extra dongle on their keyring or in their wallet is neither convenient nor user-friendly, and neither is clogging up their phone with messages.

People want the convenience of one-factor authentication. They need the protection of two-factor authentication – but they hate the way it's often implemented. Just ask the popular Facebook groups 'Scrap the HSBC Secure Key', 'Hands up if you hate the HSBC Secure Key' and 'I hate Barclays PINsentry' how they feel about their banks' two-factor authentication.

If one-factor authentication is insecure, and one-time-password methods are too expensive and often disliked, then what's the alternative? The answer is a ‘something you have' that almost all of us have with us every second of the day, using it to an often obsessive degree – the smart device.

Rather than receiving a unique code via SMS or a keyfob (and then having to copy the code over to the application), it is possible to replace this process by a more secure one that uniquely recognises the user's smartphone or tablet, and has the user choose a PIN - convenient and familiar for the user and securing their data without irritating them. This method can be used not just to authenticate mobile services, but any online service, even in-store purchases.

Technology companies such as Facebook and Google rely on a slick and seamless experience to keep their users using their service. Customers of financial institutions are a little less flighty, but customer service is key to reducing customer churn. Rushing to implement a sub-optimal two-factor authentication solution could cost them more than just money.

Thomas Bostrøm Jørgensen is CEO of Encap


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events