Reshaping Design Paradigms for Security

A problem that has plagued security architects has always been human error. Whether through social engineering, such as phishing, or poor password hygiene, human error is traditionally something that has been thought of as orthogonal to computer security.

Organizations have responded to the issue of human error with measures such as phishing education or phishing emulation, password complexity requirements, and conducting USB drops to identify potential weak links for remediation (or simply to play the blame game). Sadly, these efforts are costly and ineffective because they miss the mark; classroom learning does not address the core issue itself that the design is vulnerable to human error. Simply putting the onus back onto the human that made the mistake is far from a good design!

Instead, good security design should focus on determining the reason why human error leads to these vulnerabilities, then adjusting the design to reduce the potential for it to do so. While this task may seem like a tall order, a fantastic and widespread example of this is the design of WebAuthN. Account takeovers are some of the most dangerous types of attacks that businesses face, and often the lowest barrier to account takeovers are the things entrusted to keep them safe: authentication.

Because of the shortcomings in other forms of multi-factor authentication, what has now become WebAuthN (formerly FIDO2 or Universal Second Factor/U2F) was first published and the hardware produced in 2014. What makes WebAuthN worth mentioning for a case study is the way its design made usability and security compliment each other.

WebAuthN or its predecessors FIDO2 or U2F is an open standard for authentication. A secret cryptographic seed is generated on a microprocessor embedded into a small device the size of a house key, often called a “security key.” The microprocessor can perform cryptographic operations and use strong, modern cryptography to authenticate the user, without having to give the secret seed away. The device is attached to a computer via USB. Unlike a USB drive however, the security keys offer no means to allow the secret to be read by the computer they are attached to, in essence acting as a small hardware security module. The way the security key proves its authenticity is done in such a way that each response it gives is unique for the domain name that requested it, making it privacy-preserving and preventing phishing sites from acting as a man in the middle. Because security keys are designed to be analogous to house keys, users can employ the same measures they use to keep their house keys safe to the way they keep their online identities safe, and it’s easy to understand instinctively: hand over your keys, and you hand over your access. Unlike giving away a password, giving away a physical key leaves you with one less, making it easy to know when one has been stolen!

From the users’ standpoint, setting up WebAuthN is very simple: when prompted, simply insert the key into the USB slot and press the button. Backups are taken care of by simply repeating the process with another key that can be placed on a shelf and kept there, analogous to keeping a spare key. The workflow is the same for logging in: insert the key, push the button, done. This kind of simplicity gives WebAuthN a considerable advantage over most other forms of remote authentication; it actively rewards the users for using stronger authentication with convenience.

In short, WebAuthN trains the users to use strong, modern cryptography and hardware security modules for authentication because they make it even easier to use than to make their passwords: “Password1!“.

The effects of this are measurable. Google mandated that all their employees were to use security key authentication, and by 2018, claimed that they had reduced employee account takeovers to zero across the entire organization.

This should serve as inspiration for future design. When shaping your organization’s policies and security architecture, consider that sometimes the best security is the security that does not put on a show for your users, but instead, makes it actively rewarding to use. Rather than having to open up their phones and read and type codes that change every minute, they just need to push the button. Instead of having to memorize long, complex passwords and deal with, synchronize, and back up a password manager database, they just need to push the button. No need to go through the difficult exercise of sending a Certificate Signing Request to a Certificate Authority for validation, and then having to back up and keep a long-lived private key file for a Client Side Certificate safe for many years, just push the button! Microsoft has introduced Windows Hello, which has even gone as far as to make it possible to use only the security key. This in turn allows users to go entirely passwordless and eliminates the risk that they might circumvent password complexity requirements to use a weak or reused password entirely.

WebAuthN could be seen as a success story in multiple ways: not just for the potential for the introduction of a new security standard, advancing account security, or adoption of a new technology, but as proof that engineering can triumph over user error. This is security by design; implementing an engineering control, rather than trying to undo a lifetime of computer use that has trained users to dismiss warnings, click through “Are You Sure?” confirmations, and to give away passwords. Sure, you can’t fix users, but as examples like WebAuthN has shown, if your security architecture and design makes usability and security go hand-in-hand, you won’t have to.

References and Further Reading

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top