Virtually all of our private data, from the documents on our laptops to the data we store in the cloud, is protected by passwords. However, while passwords are a ubiquitous and integral component of authentication systems, they are often a weak link prone to exploitation by hackers, insiders, and others.
Ideally a password is a long, randomly generated combination of letters, numbers, and symbols, such as “2',0'&3mL15k.” Additionally, each randomly generated password should be used only for a specific website, application, or device; otherwise, a password retrieved via a vulnerable website or device could lead to a cascade of compromised passwords. A password manager, such as 1Password or KeePass, should be used to ease the burden of generating and managing a large number of passwords.
The reality of password management is, however, an entirely different matter. We humans are creatures of habit with poor memories, and as a result choose to use the same, easy-to-remember passwords for many if not all of our various logins. “Password,” for example, is one of the most frequently used passwords.
A recent survey by internet security firm Webroot underscores the sorry state of password security:
- 4 in 10 respondents shared passwords with at least one person in the past year
- Nearly 4 in 10 respondents use the same password for multiple websites
- Almost half of all users never use special characters (e.g., ! & $ #) in their passwords
- 2 in 10 users use readily available personal information, such as a birth date or pet’s name, as a password.
Despite endless admonitions to the contrary, many of us continue to use easy-to-guess passwords that are shared across many logins, and sometimes among friends and colleagues. When it comes to protecting sensitive data, especially confidential client data, a shared, weak password clearly leaves some room to be desired.
So the question is: can we do better than solely relying on passwords to protect our confidential information? Thanks to advances in technology over the last decade, the answer is “yes.”
Biometric security has been integrated into many laptops, desktops, and newer versions of Windows. Biometric security refers to using a unique aspect of a user’s biology, such as a fingerprint or iris, for authentication. In the case of fingerprint-based biometric security, for example, instead of a typing in a password, you gain access to your computer by scanning your fingerprint. Password management software tailored for biometric identification will automatically generate and keep track of secure passwords for each website you visit, allowing you access on subsequent visits with a simple finger swipe.
While fingerprint identification sounds good on paper, it has several disadvantages. Fingerprint readers are not necessarily available on every machine you’ll want to access data on, and smartphones such as the iPhone don’t come with fingerprint readers. Without universal accessibility, the practical benefits of fingerprint-based biometric security are severely compromised.
Recent technical innovations promise to take biometric security to the next level. Recently filed patents from Apple, Inc., reveal plans for the company to use the front-facing camera and microphone on a computer, iPhone, or iPad to identify a user. If the device recognizes the face of a known user, it will automatically provide access to the user’s account. The company also patented an approach for using a computer’s microphone to identify a user’s unique heartbeat.
The question of password security is especially relevant for cloud-based services. Unlike desktops or mobile phones, where physical access to the device in addition to a password is required, cloud-based services are typically available to the entire Internet—armed with your password, anyone can access your cloud-based data.
A technology called two-factor authentication promises to strengthen the security of the cloud. Rather than using just a password to login to your cloud-based service, your password must be accompanied by a second, one-time-use PIN. This PIN can be sent to you via a variety of channels: via email, an SMS text message, or via a specialized keyfob. Without both your password and the one-time use PIN, you cannot access your cloud-based data.
Two-factor authentication means a hacker or other ill-intentioned individual cannot access your sensitive data without access to a secure communication channel that only you should have access to. Typical password hacking techniques, such as brute-force dictionary attacks, have no hope of succeeding against two-factor authentication.
Two-factor authentication is seeing increased adoption among cloud-based providers. Google recently announced that it will adopt two-factor authentication for millions of Google Apps users. Two-factor authentication has also recently arrived in legal cloud computing space: Clio announced two-factor authentication for its web-based practice management suite (full disclosure: Clio is my company).
Biometric security and two-factor authentication both significantly bolster what is traditionally the weakest link in the security and authentication chain. Expect both to become more commonplace in the coming years. While the password will never die, its days as the sole method of proving your identity are numbered.
Jack Newton is cofounder and president of Clio, a leading provider of cloud-based practice management software. Jack holds an M.Sc. in computer science from the University of Alberta, and has more than 10 years of experience building start-ups and web applications. Jack holds three software-related patents in the United States and EU. He has also spoken at CLE seminars on how practice management systems can be used to help a lawyer practice ethically and competently. Jack has also written and spoken on cloud computing in general, and specifically on the ethics, privacy, and security issues relating to the use of cloud computing in the legal market.
© Copyright 2011, American Bar Association.